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HEARING CHARTER 
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1. Purpose 

On Wednesday, May 14, 2003, the House Science Committee will hold a hearing 
to examine federal cyber security research and development (R&D) activities and 
implementation of last year’s Cyber Security Research and Development Act (P.L. 
107-305). 

2. Witnesses 

Dr. Charles E. McQueary is the Under Secretary for Science and Technology at 
the Department of Homeland Security. Prior to joining the Department, Dr. 
McQueary served as President of General Dynamics Advanced Technology systems, 
and as President and Vice President of business units for AT&T, Lucent Tech- 
nologies, and as a Director for AT&T Bell Laboratories. 

Dr. Rita R. Colwell is the Director of the National Science Foundation (NSF). Be- 
fore joining the Foundation, Dr. Colwell served as President of the University of 
Maryland Biotechnology Institute and Professor of Microbiology at the University 
Maryland. She was also a member of the National Science Board from 1984 to 1990. 

Dr. Arden L. Bement, Jr. is the Director of the National Institute of Standards 
and Technology (NIST). Prior to his appointment as NIST director, Dr. Bement was 
professor and head at the School of Nuclear Engineering at Purdue University. Be- 
fore Purdue, he served in a variety of positions, including Vice President of Tech- 
nical Resources and of Science and Technology for TRW Inc. and Deputy Under Sec- 
retary of Defense for Research and Engineering. Dr. Bement has also served as a 
member of the National Science Board and as chair of the NIST Visiting Committee 
on Advanced Technology. 

Dr. Anthony J. Tether is the Director of the Defense Advanced Research Projects 
Agency (DARPA). Until his appointment as Director of DARPA, Dr. Tether held the 
position of Chief Executive Officer and President of The Sequoia Group. He has also 
been Chief Executive Officer for Dynamics Technology Inc. and Vice President of 
Science Applications International Corporation’s (SAlC) Advanced Technology Sec- 
tor. Dr. Tether has served on Army and Defense Science Boards. 

3. Overarching Questions 

The hearing will address the following overarching questions: 

1. What is the current status of federally-supported cyber security research and 
development programs in the United States? What level and types of effort 
are needed to meet existing and emerging cyber terrorism threats? 

2. How are cyber security research and development activities coordinated 
among federal agencies? How are gaps in the research portfolio identified 
and filled? How will the new Department of Homeland Security affect the 
coordination process? How will it change the overall portfolio of programs? 

3. What efforts are being made to develop a strong cyber security workforce and 
to establish and expand university educational and research programs rel- 
evant to cyber security? 

4. How do the federal agencies work with industry on cyber security research 
and development efforts? 

4. Brief Overview 

• Information technology systems underpin key industries such as tele- 
communications and financial services, and also play a vital role in the 
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smooth functioning of critical infrastructures and services, such as transpor- 
tation systems, the electric power grid, and emergency response capabilities. 
As the number of ways in which our economy depends on network and com- 
puter systems has grown, so has the number of attacks on these information 
technology systems. For example, the number of incidents reported to the 
computer security incident response center at Carnegie Mellon University in- 
creased 275% from 2000 to 2002, and over 42,000 incidents have already been 
reported in 2003. 

• Active research and development programs to produce new cyber security 
tools and techniques are necessary to enable us to maintain the performance 
of important networks and systems and improve our ability to defend against 
cyber and physical terrorism. Currently, cyber security research and develop- 
ment is supported and performed at a variety of federal agencies, including 
the National Science Foundation (NSF), the National Institute of Standards 
and Technology (NIST), and the Defense Advanced Research Projects Agency 
(DARPA). Within the new Department of Homeland Security, the Science and 
Technology Directorate will have responsibility for managing research and de- 
velopment programs relevant to cyber security. 

• In November of 2002, the President signed the Cyber Security Research and 
Development Act (P.L. 107-305), which authorized appropriations for the Na- 
tional Science Foundation and the National Institute of Standards and Tech- 
nology to strengthen their programs in computer and network security (CNS) 
research and development and to support CNS research fellowships and 
training programs. However, FY 2003 appropriations and FY 2004 proposed 
funding are significantly below the authorized levels. 

• New hardware and software technologies are rapidly adopted in many indus- 
tries and new ways of interfering with computer systems develop just as fast. 
Multiple federal agencies will need to coordinate their efforts to ensure that 
new understanding of information and network security is generated and that 
this knowledge is transitioned into useful cyber security products. Institutions 
of higher education will have develop and expand degree programs to ensure 
that an adequate workforce exists to put the new tools and techniques into 
practice. The private sector has a critical role to play, as it will contain the 
developers and suppliers as well as the major purchasers of new cyber secu- 
rity technologies and services. 

5. Background 

Cyber Threats to Critical Infrastructures 

Information technology systems underpin key industries such as telecommuni- 
cations and financial services, and also play a vital role in the smooth functioning 
of critical infrastructures and services, such as transportation systems, the electric 
power grid, and emergency response capabilities. Remote operation of chemical 
plant functions and management of the aircraft control system also depend on soft- 
ware and computer networks. Thus vulnerabilities in various components of net- 
works and computers could be exploited to disrupt and damage these critical sys- 
tems. For example, distributed denial of service attacks could slow Internet traffic 
and bring down important web sites. Cyber attacks on supervisory control and data 
acquisition (SCADA) systems could shut down power plants or disrupt processes at 
chemical manufacturing facilities. Interference with emergency responder commu- 
nications technology could amplify the effects of a physical terrorist attack. 

The vulnerability of the Nation’s information technology infrastructure has been 
demonstrated many times in the past several years. “Hackers” are arrested for 
breaking into computer systems to steal and corrupt data, or just to disrupt govern- 
ment or industry services. Major “infections” of computer viruses and worms 1 make 
the news, and smaller “outbreaks” occur daily. 2 While the impact on physical sys- 
tems has been minimal to date, the economic impact of successful attacks can be 
significant. For example, in 2001, the Code Red and Nimda worms spread through 


*A computer virus is a program or piece of code that is loaded onto your computer without 
your knowledge and runs against your wishes. Viruses can also replicate themselves. They are 
often capable of attaching themselves to other files or e-mail and transmitting themselves across 
networks and bypassing security systems. Some of the destructive things that viruses can do 
include deleting or corrupting files and using all the available memory on a system (thereby 
bringing the system to a halt). A worm is a special type of virus that can replicate itself and 
use memory, but cannot attach itself to other programs. 

2 In 2002, 82,094 incidents were reported to the CERT Coordination Center at Carnegie Mel- 
lon University, up 275% from 2000. Also in 2002, the center published 41 security alerts and 
handled over 200,000 mail messages and over 800 hotline calls. 
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e-mail, corporate networks, and Web browsers. Together, they are estimated to have 
produced $3 billion in costs worldwide due to lost productivity and expenses related 
to testing, cleaning, and deploying patches to computer systems. In January of 2003, 
the Slammer (or Sapphire) Worm took advantage of vulnerabilities in server soft- 
ware to generate a damaging level of network traffic, so Internet users experienced 
difficulty accessing web sites and sending e-mail. In addition, Bank of America auto- 
mated teller machines were taken off line, Continental Airlines reservation com- 
puter systems experienced widespread problems, and an emergency call center in 
Seattle was essentially blacked out. Thus developing new defenses is critical to en- 
sure that small weaknesses are not exploited to produce major economic con- 
sequences. 

The above examples show how a terrorist could target computer systems or net- 
works and create a great deal of disruption and damage. However, terrorists could 
also use information technology systems to amplify the effects of a physical attack 
on people or property. For example, a terrorist planning to release a chemical or 
biological agent could first send an e-mail that appears to be from a trustworthy 
source (a police department or a news agency) to order or urge evacuation of build- 
ings in order to increase the number of people out in the streets when he spreads 
his toxin. Cyber attacks could also be used to interfere with first responder commu- 
nication and coordination systems, hindering the ability to respond to a crisis. Thus 
protection of information systems is a critical part of homeland defense. 

The National Strategy to Secure Cyberspace was released by the Administration 
in February 2003. It includes a number of recommendations to improve the Nation’s 
cyber security now, both in federal systems and in privately-owned infrastructures. 
Currently the Federal Government’s effort to deploy cyber security tools and tech- 
niques (the “operational” cyber security programs) are scattered over many agencies. 
The National Institute of Standards and Technology provides guidance and tools to 
federal agencies and to private industry that enable them to evaluate their cyber 
security needs and the performance of their security systems. The National Security 
Agency has significant programs in encryption. The Department of Homeland Secu- 
rity will have significant responsibilities in this area, both in new programs in its 
Information Analysis and Infrastructure Protection directorate, and in programs 
that are being transferred in, like the Federal Computer Incident Response Center 
(FedCIRC), which provides civilian agencies and departments with offerings in com- 
puter security incident prevention, reporting, analysis, and recovery. There are also 
private organizations, such as the federally-funded CERT Coordination Center at 
Carnegie Mellon University, 3 whose activities include providing technical advice 
about and coordinating responses to security incidents, publishing security alerts, 
and tracking information about vulnerabilities and intruder activities. 

The Need for Cyber Security Research and Development Programs 

In addition to discussing ways to reduce cyber infrastructure vulnerabilities now, 
The National Strategy to Secure Cyberspace also emphasizes the importance of de- 
veloping and carrying out a cyber security research and development agenda for the 
Federal Government. 

Cyber security research and development programs focus on ways to prevent at- 
tacks, to detect them as they are occurring, to respond to them effectively, to miti- 
gate the severity of their effects, to recover as quickly as possible from them, and 
to find the people responsible. In addition to enabling us to avoid damage from 
cyber terrorism, a greater understanding of the weaknesses in computer systems 
and networks and how to protect them will allow computer operators to deflect the 
actions of cyber criminals — out to steal credit card numbers and personal informa- 
tion — and hackers — out to disrupt and destroy for the fun of it. 

In March 2003, the National Academy of Science released Information Technology 
for Counterterrorism: Immediate Actions and Future Possibilities. This report out- 
lines an extensive research agenda for information technology research in many 
areas. In the information and network security field, the areas of emphasis are: au- 
thentication (determining that a system’s users are those with permission to use it), 
detection (being aware that an attack, or attempted attack, is occurring), contain- 
ment (mitigating the effects of an attack), and recovery (getting the system back up 
and functioning after an attack). The report also lists a number of research areas 
in which advances will impact all facets of the effort to improve cyber security. 
These areas include reducing the “bugginess” of software, managing the trade-offs 
between security and functionality more successfully, and gathering information on 
new and emerging techniques for cyber attacks. 


3 While “CERT” originally stood for “Computer Emergency Response Team,” today the center’s 
name is officially just “CERT.” 
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Existing Federal Cyber Security Research and Development Programs 

The National Science Foundation (NSF) and the National Institute of Standards 
and Technology (NIST) currently have active cyber security-related programs. To 
support and expand these programs, the Cyber Security Research ana Development 
Act was signed in November 2002. Under this Act, NSF was authorized to expand 
its computer and network security grants programs and establish new research cen- 
ters in this area and to provide grants to institutes of higher education and provide 
fellowships to students to increase the number of people receiving degrees in this 
area. NlST was authorized to create new program grants for partnerships between 
academia and industry, new post-doctoral fellowships, and a new program to encour- 
age senior researchers in other fields to work on computer security. The Act author- 
izes $903 million over five years for these new programs, to ensure that the U.S. 
is better prepared to prevent and combat terrorist attacks on private and govern- 
ment computers. Specifically, for FY 2004, $110.25 million was authorized for NSF, 
and $47.29 million for NIST, to enable them to carry out the above programs. How- 
ever, actual appropriations in FY 2003 and the presidential proposals for FY 2004 
both fall far short of the authorized numbers. 4 As a result, NlST will be entirely 
unable to establish the grants program for academic-industrial research partner- 
ships, and NSF’s grants programs will be significantly smaller than those envi- 
sioned in the Act. 

The Department of Homeland Security is currently setting up its organizational 
structure and defining its programmatic priorities for FY 2003 and FY 2004. In the 
department, responsibility for managing research and development efforts relevant 
to cyber security rests in the Science and Technology directorate, while operational 
responsibilities for implementing cyber security fall in the Information Analysis and 
Infrastructure Protection directorate. Public statements have been made indicating 
that there will be no “box” in the organization with specific responsibility for cyber 
security in either the operational or research arenas. Operationally, programs to se- 
cure the cyber infrastructure will be an element of the broader critical infrastruc- 
ture protection efforts. In the Science and Technology directorate, cyber security re- 
search and development programs will be part of the Threat and Vulnerability, 
Testing and Assessment program, and will focus on meeting critical needs of other 
DHS units, such as the Information Analysis and Infrastructure Protection direc- 
torate and the U.S. Secret Service. Less than 1 percent of the Science and Tech- 
nology directorate’s $803 million budget will be directed toward cyber security re- 
search and development. The absence of a clear advocate for cyber security at the 
Department is of particular concern in light of the Administration’s decision in Feb- 
ruary 2003 to eliminate the President’s Critical Infrastructure Protection Board. 
The Board, which was established after the attacks of September 11, 2001, authored 
The National Strategy to Secure Cyberspace and the Board’s director, Richard 
Clarke, did much to raise the level of awareness about the vulnerabilities of the Na- 
tion’s cyber infrastructure and the need for improved cyber security. 

The Defense Advanced Research Projects Agency (DARPA) has played a critical 
role in information technology research, including cyber security programs. The first 
firewall, 5 significant advances in intrusion detection systems, and important Inter- 
net security protocols were all developed through DARPA programs. In the late 
1990’s, the agency made a large investment in “defensive” information warfare, 
which included unclassified research on computer systems’ security and surviv- 
ability. However, DARPA does not have a history of sustained, stable support of 
cyber security research and development programs, and, since 2000, the size of this 
program has declined (from approximately $90 million in 2000 to $30 million in 
2003). Part of this decline is due to the fact that DARPA’s focus has shifted to clas- 
sified research on “offensive” information warfare. Classified research on informa- 
tion security is also done by the National Security Agency (NSA). NSA’s funding for 
information assurance work is estimated to be roughly $750 million, with roughly 
half spent on research, development, testing, and evaluation; a significant part of 
this effort focuses on cryptography. While defense-related work on cyber security is 
necessary, it is important to recognize that the impact such classified work has on 
the overall national cyber security is often limited because the research is mainly 


4 For example, NSF cyber security research programs received $28 million in FY 2003 (as com- 
pared to $47 million authorized in this area), and the FY 2004 proposal is for $35 million (au- 
thorization was $64 million). 

5 A firewall is a system designed to prevent unauthorized access to or from a private network. 
Firewalls are frequently used to prevent unauthorized people from accessing private networks 
(like those used at companies, universities, and government agencies) over the Internet. All mes- 
sages (like e-mail) entering or leaving the private network pass through the firewall, which ex- 
amines each message and blocks those that do not meet the specified security criteria. 
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performed at government facilities and contractors, and the results are seldom 
shared publicly or transferred to the commercial sector. 

Overall, it is currently very difficult to determine the total spending on cyber se- 
curity research and development programs across the Federal Government. Informa- 
tion is currently collected and reported on a variety of relevant areas (such as net- 
working and information technology research and development), but the programs 
specifically devoted to cyber security research and development have not been pulled 
out. OSTP has indicated that agencies will be asked to quantify cyber security re- 
search and development funding within their FY 2005 request. 

Another factor to be considered in assessing the quality of cyber security oper- 
ations and cyber security research in the United States is the critical role of the 
private sector in both areas. As new results emerge from cyber security research 
and development activities, information technology companies will have to turn new 
knowledge into new technologies and services, and industries from banking to elec- 
tric power will have to choose to take advantage of these new capabilities. There- 
fore, federal cyber security research and development programs will have to consider 
ways to encourage technology transfer and facilitate technology uptake. 

Workforce Issues 

Research and development goals and useful new cyber security tools are of no use 
if there are not people to carry out the research programs and put the new tech- 
niques into practice. 6 The Cyber Security Research and Development Act, The Na- 
tional Strategy to Secure Cyberspace, and the National Academy of Sciences’ report 
all emphasize the importance of expanding the relevant workforce. Recommended 
actions range from developing undergraduate and masters programs to train oper- 
ational cyber security personnel to fellowships for post-doctoral and senior scientists 
and engineers to increase participation in information security research programs. 
Current programs in this area are quite small. The National Science Foundation 
has a Cyber Security Scholarship for Service program ($16 million requested for FY 
2004). This program provides scholarships to students in the fields of information 
assurance and computer security in return for a commitment following graduation 
to work for a federal agency. The Department of Defense started a program 7 in 2000 
to provide re-training fellowships for researchers and recent Ph.D.s looking to trans- 
fer into the cyber security field, but this program is ending in 2003. The Cyber Secu- 
rity Research and Development Act authorizes NIST to establish a senior research 
fellowship program that will be open to established researchers who seek to change 
fields into cyber security research, but no funds were requested for that program 
in FY 2004. 

6. Current Issues 

The most pressing issue in cyber security research and development is the under- 
funding of relevant programs. The NSF and NIST programs are well under the au- 
thorized levels. DARPA is ramping down relevant unclassified programs. The pro- 
posed effort in DHS is small. Yet the cyber infrastructure of the United States pene- 
trates all critical infrastructures and forms a fundamental base of the Nation’s 
physical security and economic and social stability. Significant investment in re- 
search and development in computer and network security will be needed to main- 
tain homeland security. Delaying this investment will not only increase current and 
future vulnerabilities, but will also raise future cyber security expenses, from the 
costs associated with damage done by cyber attacks to the expenses of retrofitting 
security systems onto existing hardware and software. 

Each federal agency has its own mission and thus each has its own special role 
to play in cyber security research and development. Multi-agency collaboration and 
a coherent cross-agency strategy are needed to maximize the impact of federal in- 
vestment and to ensure that gaps do not develop in the effort to develop the tools 
needed to build a multi-layer defense of the cyber infrastructure. In addition, since 
many information technology products and their implementations in critical infra- 
structures are developed and owned by the private sector, close communication with 
industry will be required. Finally, growth is needed in educational programs to ex- 
pand research and development programs and to train the workforce required to im- 
plement security techniques in critical computer and network systems. 

7. Witness Questions 

The witnesses were asked to address the following questions in their testimony: 


6 According to NSF, only approximately seven Ph.D.s in cyber security are awarded each year. 

7 The Critical Infrastructure Protection and Information Assurance Fellows {CIPIAF) Program 
provided funds to cyber security principal investigators to pay post-doctoral fellows coming from 
non-cyber security backgrounds. 
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Questions for Dr. Charles McQueary 

• How will the cyber security research and development agenda at the Depart- 
ment of Homeland Security be defined? Will the department’s science and 
technology directorate develop in-house cyber security expertise and pro- 
grams? How will it coordinate with the department’s operational cyber secu- 
rity programs? 

• What mechanisms will the Department of Homeland Security use to coordi- 
nate its cyber security research and development activities with other federal 
agencies, such as NSF, NIST, and DARPA, with active programs in this area? 

• How will the department interact with cyber security research and develop- 
ment efforts underway in industry? How will it interact with university-based 
cyber security programs? 

Questions for Dr. Rita Colwell 

• What actions has the National Science Foundation (NSF) taken in response 
to the Cyber Security Research and Development Act? In particular, how is 
NSF fulfilling its role as the lead agency for cyber security research and de- 
velopment as specified in Section 7 of the Act? 

• What are NSF’s priorities in cyber security research and development? How 
are these priorities determined? 

• How does NSF coordinate its cyber security research and development activi- 
ties with other federal agencies? 

• To what extent is NSF identifying and working to fill gaps in the federal 
cyber security research and development portfolio? 

Questions for Dr. Arden Bement 

• What actions has NIST taken in response to the Cyber Security Research and 
Development Act? 

• How does NIST coordinate its cyber security research and development activi- 
ties with other federal agencies? How does NIST interact with industry on 
cyber security research and development activities? 

• What are NIST’s priorities in cyber security research and development? How 
are these priorities determined? 

Questions for Dr. Anthony Tether 

• How have DARPA’s information assurance research and development pro- 
grams evolved over the past few years? Is there an increased emphasis on 
military or offensive applications? How is the balance between classified and 
unclassified efforts changing? 

• How does DARPA coordinate its cyber security research and development ac- 
tivities with other federal agencies? 

• How is information about results or technologies that are applicable to the 
protection of commercial networks and privately-owned infrastructures pro- 
vided to relevant research and development communities in industry and aca- 
demia? 

• What are DARPA’s priorities in cyber security research and development? 
How are these priorities determined? 

Appendix I 

Links to referenced documents on cyber security research and development: 

Public Law 107-305: The Cyber Security Research and Development Act (November 

2002 ): 

http://frwebgate.access.gpo.gov/cgi-bin/ 

getdoc.cgi?dbname=107 _cong_ public _laws&docid=f:publ305. 107.pdf 

The National Strategy to Secure Cyberspace (February 2003) 
http://www.whitehouse.gov/pcipb/ 

Information Technology for Counterterrorism: Immediate Actions and Future Possi- 
bilities, National Academy of Sciences (March 2003): 
http://bob.nap.edu/html/IT_counterterror/ 
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Chairman Boehlert. The hearing will come to order. It is a 
pleasure to welcome everyone here this morning for a hearing on 
a subject that has consumed the Committee over the past couple 
of years: cyber security research and development. We have been 
focused on this topic for good reason. The Nation, quite simply, has 
been under-investigating — investing woefully in cyber security 
R&D and as a result, we lack both the experts and the expertise 
we ought to have in a world that relies so heavily on computers 
and networks for the necessities of everyday life. 

Last year, led by this committee, Congress passed, and the Presi- 
dent signed into law, two landmark bills to try to remedy this prob- 
lem: the Cyber Security Research and Development Act and the 
Homeland Security Act. Both established new programs and au- 
thorized new funds for cyber security R&D. 

Today is our first chance to see what has happened as a result. 
At first blush, the answer appears to be: not nearly enough. Agen- 
cies have neither sought nor set aside adequate funding to imple- 
ment the Cyber Security R&D Act. We hear complaints from 
throughout the research community that the Department of Home- 
land Security is not focusing sufficiently on the problem and 
DARPA is actually reducing its investment in this area. 

I am sure our witnesses today will describe positive actions that 
have been taken, and there are some, but it is impossible not to 
conclude that far more needs to be done. I assure you that this 
committee, we will continue pressing for more action on cyber secu- 
rity R&D. This hearing is only the beginning. We need to work to- 
gether now to prevent devastating attacks in the future. 

I look forward to hearing from all of our witnesses, and we are 
going to do just that. And we have a very distinguished panel, and 
I think all of my colleagues should be very impressed with the 
panel. 

With that, let me introduce the distinguished Ranking Member 
from Texas, not Oklahoma, Texas, Mr. Hall. 

[The prepared statement of Mr. Boehlert follows:] 

Prepared Statement of Chairman Sherwood Boehlert 

It’s a pleasure to welcome everyone here this morning for a hearing on a subject 
that has consumed the Committee over the past couple of years cyber security R&D. 

We’ve been focused on this topic for good reason. The Nation quite simply has 
been under-investing woefully in cyber security R&D, and as a result we lack both 
the experts and the expertise we ought to have in a world that relies so heavily on 
computers and networks for the necessities of everyday life. 

Last year, led by this Committee, Congress passed, and the President signed into 
law, two landmark bills to try to remedy this problem. The “Cyber Security Re- 
search and Development Act” and the “Homeland Security Act” both established 
new programs and authorized new funds for cyber security R&D. Today is our first 
chance to see what’s happened as a result. 

At first blush, the answer appears to be “not nearly enough.” Agencies have nei- 
ther sought nor set aside adequate funding to implement the Cyber Security R&D 
Act. We hear complaints from throughout the research community that the Depart- 
ment of Homeland Security is not focusing sufficiently on the problem. And DARPA 
is actually reducing its investment in this area. 

I’m sure our witnesses today will describe positive actions that have been taken 
and there are some — but still one can only conclude that far more needs to be done. 
I assure you that this committee will continue pressing for more action on cyber se- 
curity R&D. This hearing is only the beginning. 

We need to work together now to prevent devastating attacks in the future. I look 
forward to working with all our witnesses to do just that. 

Mr. Hall. 
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Mr. Hall. You know, all my exes are in Oklahoma this morning. 

I want to join Chairman Boehlert in welcoming everyone to this 
morning’s hearing, because first, you are selected on the basis of 
your knowledge and your service. And I know it takes time to get 
ready. It takes time to come here. It takes time to testify. And we 
appreciate the gift that you give to this committee, and through us, 
to the rest of the Congress. 

Not a day — as Chairman Boehlert has very aptly set out, not a 
day goes by without some mention of information technology in the 
news and as this information technology has become a part of al- 
most every aspect of our economy and of our society. As this has 
happened, we have become familiar with the negative aspects of 
the information revolution: cyber crime. The threats we fear range 
all the way from nuisance hackers, theft and fraud, to the break- 
down of the information infrastructure and everything that de- 
pends on it. 

With the events of the last few years, the security of the informa- 
tion infrastructure has received even more public attention. In Feb- 
ruary, the President released The National Strategy to Secure 
Cyberspace. The President’s strategy emphasizes the need for more 
research efforts, and what I hope to learn today is the context for 
these research efforts and the amount of coordination that occurs 
between agencies and with the private sector. 

In addressing any public policy question, the first thing to ask 
is: “What problems need to be solved?” As was pointed out in a re- 
cent article in Issues in Science and Technology, “Cyber Security: 
Who’s Watching the Store?”, we still lack a solid assessment of this 
threat. Despite the attention that cyber attacks receive in the 
media, there is little real data for estimating the size of the cyber 
security threat. And although I like a good story as much as any- 
one, the plural of anecdote is not data. Without the research to de- 
fine the problem, I think it is difficult to determine the amount of 
money and the effort required to develop a solution to it. 

So I hope today’s witnesses can tell us what they are doing to 
define the scope and size of the problem with real data. We can’t 
afford to have agencies going off on their own to develop a cyber 
security program and then hope the sum will be greater than the 
parts. Because their information infrastructure is largely in the 
hands of the private sector, any effective research agenda must be 
developed with input from the industry. A strategy that relies on 
simply training personnel and then hoping they find jobs is not suf- 
ficient. Research efforts need to be focused on the real problems, 
so I hope our witnesses will tell us about the interactions with in- 
dustry and developing research agendas. 

And I want to thank the witnesses for appearing before the Com- 
mittee, and I look forward to their input on this issue. And I yield 
back my time. 

[The prepared statement of Mr. Hall follows:] 

Prepared Statement of Representative Ralph M. Hall 

I want to join Chairman Boehlert in welcoming everyone to this morning’s hear- 
ing. 

Not a day goes by without some mention of information technology in the news. 
As information technologies have become a part of every aspect of our economy and 
society, we have become familiar with the negative aspects of the information revo- 
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lution — cyber crime. The threats we fear range from nuisance hackers, theft and 
fraud, to the breakdown of the information infrastructure and everything that de- 
pends upon it. 

With events of the few years, the security of the information infrastructure has 
received even more public attention. In February, the President released The Na- 
tional Strategy to Secure Cyberspace. The President’s strategy emphasizes the need 
for more research efforts. What I hope to learn today, is the context for these re- 
search efforts and the amount of coordination that occurs between agencies and 
with the private sector. 

In addressing any public policy question, the first thing to ask is “What problem 
needs to be solved?” As was pointed out in a recent article in Issues in Science and 
Technology, “Cyber Security: Who’s watching the Store?”, we still lack a solid assess- 
ment of the threat. Despite the attention that cyber attacks receive in the media 
there is little real data for estimating the size of the cyber security threat. And al- 
though I like a good story as much as anyone, the plural of anecdote is not data. 
Without the research to define the problem, I think it’s difficult to determine the 
amount of money and effort required to develop a solution. So I hope today’s wit- 
nesses can tell us what they are doing to define the scope and size of the problem 
with real data. 

I don’t believe we can simply spend our way out of this problem. Therefore, I’m 
hoping that our witnesses can tell us how they coordinate the development of their 
research programs. We can’t afford to have agencies going off on their own to de- 
velop a cyber security program and then hope the sum will be greater than the 
parts. Because our information infrastructure is largely in the hands of the private 
sector, any effective research agenda must be developed with input from the indus- 
try. A strategy that relies on simply training personnel and then hoping they find 
jobs is not sufficient. Research efforts need to be focused on the real problems. So, 
I hope our witnesses will tell us about their interactions with industry in developing 
the research agendas. 

I want to thank our witnesses for appearing before the Committee and I look for- 
ward to their insight on this issue. 

[The prepared statement of Mr. Smith follows:] 

Prepared Statement of Representative Nick Smith 

Today we meet to examine federal efforts to address an extremely important — but 
often under-appreciated — threat to our country: the potentially devastating attacks 
on our nation’s computer networks and infrastructure. 

Almost immediately after the September 11th attacks, the Science Committee 
held multiple hearings to examine just how vulnerable we were to the threat of 
cyber attacks. These hearings revealed that the United States uses more and has 
become more dependent on “cyber” than any other country. Technological advance- 
ments in computers, software, networks and information technology greatly im- 
proved our lives, but they also made our society more vulnerable to disruption. 

We also learned that the threat from other risks, such as computer viruses, hack- 
ing, and electronic identity theft, present significant hazards to general commerce, 
personal privacy, and our overall economic system. Finally, and in large part due 
to the interconnectedness of our technological age, we learned that physical security 
was permanently linked to cyber security. As a result, we concluded that Congress 
needed to address cyber security with the same vigilance with which we were ad- 
dressing our physical security at home and abroad. 

So we responded to these realizations by drafting and passing into law the Cyber 
Security Research and Development Act of 2002. This legislation provided a com- 
prehensive, coordinated research framework to address the threats to our computer 
systems. 

I am interested today to learn not only how the Federal Government is imple- 
menting the research coordination provisions of the cyber security bill, but also how 
they are working to ensure implementation of the technologies we now have readily 
available today. Although I am pleased that the Department of Homeland Security 
has requested over $800 million for applied research and development in its Science 
and Technology Directorate, it is not clear whether cyber security will receive appro- 
priate attention within the Directorate. 

We have a very esteemed panel of agency witnesses with us here today, and I 
have many important issues to discuss with them. I look forward to their testimony 
and I am confident that Congress, the Administration, the university community, 
and the private sector will be able to work together to find solutions to the cyber 
security challenges facing America. 
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[The prepared statement of Mr. Costello follows:] 

Prepared Statement of Representative Jerry F. Costello 

Good morning. I want to thank the witnesses for appearing before our committee 
to examine the federal cyber security research and development activities and im- 
plementation of the Cyber Security Research and Development Act (P.L. 107-305). 

The Cyber Security Research and Development Act authorized $903 million over 
five years for new federal programs to ensure that the U.S. is better prepared to 
prevent and combat terrorist attacks on private and government computers. The 
legislation was developed following a series of post-September 11th Science Com- 
mittee hearings on the emerging cyber-terrorist threat and the lack of a coordinated 
U.S. response. Despite this new legislative and programmatic initiative, our com- 
puter and communications networks, upon which the country’s economic and critical 
infrastructures for finance, transportation, energy and water distribution, and 
health and emergency services depend, are still among the Nation’s vulnerabilities. 
In addition, funding for FY 2003 and proposed funding for FY 2004 is significantly 
below the authorized levels. 

As a result, valid concerns remain that the U.S. is still not appropriately orga- 
nized and prepared to counter and respond to cyber security. Multiple federal agen- 
cies, as well as institutions of higher education and the private sector, have critical 
roles to play; yet, no enactment of or planning for the National Strategy has oc- 
curred and there is no evidence of coordination among agencies as they developed 
their research and development budget requests for FY 2004. The absence of a clear 
advocate for cyber security at the Department of Homeland Security, coupled with 
the Administration’s decision in February 2003 to eliminate the President’s Critical 
Infrastructure Protection Board, is of particular concern. Further, I am interested 
to know from our witnesses how the Administration determines where the emphasis 
should be in cyber security and how this is reflected in the agency’s budget requests. 

I again thank the witnesses for being with us today and providing testimony to 
our committee. 

[The prepared statement of Ms. Johnson follows:] 

Prepared Statement of Representative Eddie Bernice Johnson 

Thank you, Chairman, for calling this important hearing to examine federal cyber 
security research and development (R&D) activities and the Cyber Security Research 
and Development Act (P.L. 107-305) and I also want to thank our witnesses for 
agreeing to appear today. 

Cyber security is an emerging concept that will redefine computer science and en- 
gineering in our nation as we know it. 

Last February, the Administration released its long-awaited National Strategy to 
Secure Cyber Security. However, it seems that cyber security has slipped in impor- 
tance for the Bush Administration. Rather than target specific industry segments 
and require that they secure themselves by recommending tough new laws and reg- 
ulations, the Administration’s plan recommends that industry and individuals sim- 
ply take greater care. 

Overall, the new DHS’s $37.7 billion budget earmarks only $3 billion for cyber se- 
curity. So the Infrastructure Protection directorate, one of five directorates in the 
DHS, appears in line for less than 10 percent of funds. 

To be fair, the DHS is an immense undertaking, the biggest government reorga- 
nization effort since the Department of Defense was created after World War II. 
Such a reorganization will require time. 

Unfortunately, the Administration does not address criticism that its lack of regu- 
lations render it toothless. For example, previous, unpublished drafts had included 
measures that would have forced Internet service providers to offer firewalls to their 
users and would have a required wireless hardware makers to improve security. 

It is very important that any plan from the Administration does an effective job 
at identifying threats. Regrettably, this plan does not propose to collect reliable data 
and perform the analysis necessary to define the threat. Without a reliable threat 
assessment, it is almost impossible to tailor an R&D program to meet real needs, 
let alone allocate the appropriate amount of funding to develop solutions. Hopefully, 
our witnesses today will be able to provide answers to our questions that will shine 
light on some of the short comings of the Administration’s proposals. 

[The prepared statement of Ms. Lee follows:] 
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Prepared Statement of Representative Sheila Jackson Lee 
Mr. Chairman, 

Thank you for calling this extremely timely and enlightening hearing. I also serve 
on the Select Committee on Homeland Security, which is now several months old. 
Despite the continuous pressure from Ranking Member Turner and all of the other 
Democratic Members, that Committee — charged with providing Congressional over- 
sight to our nation’s domestic efforts to protect the American people — has yet to hold 
a single substantive hearing. I am glad that as usual, the Science Committee has 
risen to the challenge, to ask tough questions on sensitive issues. 

National security is obviously foremost on everyone’s minds these days. As we 
work to improve our country’s security, it is important that we take inventory of 
all systems that are vital to the functioning of the Nation, and do all we can to pro- 
tect them. This certainly includes our computer networks systems that can be at- 
tacked anonymously and from far away. These networks are the glue that holds our 
nation’s infrastructure together. An attack from cyberspace could jeopardize electric 
power grids, railways, hospitals and financial services, to name a few. 

We are all aware of the growing number of Internet security incidents. These inci- 
dents can come in many flavors: annoying attacks through e-mails, involving such 
things as computer viruses, denial of service attacks, and defaced web sites; or cyber 
crime, such as identity theft. Such events have disrupted business and government 
activities, and have sometimes resulted in significant recovery costs. 

Our hospitals and power grids, our communications, our transportation systems, 
are all critically dependent on computers and information flow and the satellites 
above us. A terrorist or other criminal tampering with those systems could dev- 
astate entire industries and potentially cost lives. While we have been fortunate so 
far in avoiding a catastrophic cyber attack, Richard Clarke, the President’s cyber- 
terrorism czar from last year, I guess I should say “two czars ago,” said that the 
government must make cyber security a priority or face the possibility of a “Digital 
Pearl Harbor.” 

This was truly a frightening prospect. It motivated me to get more knowledgeable 
and active in the area of cyber security. It motivated this committee, the Chairman 
and Ranking Member, to get busy on hearings and legislation. The Cyber Security 
Research and Development Act is the product of our work. Now I look forward to 
hearing how the Administration and the Agencies are stepping up the challenges 
that are before us. 

Of course here in the Science Committee, we tend to appreciate good Science — 
good data to guide smart policy. I am troubled by the fact that it seems we still 
do not have good data as to what is the scope of our cyber-vulnerability. We hear 
almost daily anecdotal reports of viruses, or worms, and crashes, but still do not 
know the true magnitude of the problem. We do not know how much is at risk, how 
much is being spent to protect ourselves, and what needs to spent in the future. 

That has led to a fairly arbitrary set of appropriations figures, probably consider- 
ably lower than what is needed, and probably not always targeted to the programs 
that are most likely to produce results. I am troubled by the Administration’s FY04 
budget request which under-funds cyber security priorities dictated by the Cyber Se- 
curity Research and Development Act. I do not understand why NIST grant pro- 
grams, which have been successful in the past, are being discarded for the near to 
distant future. I hear that we need to save money so that we can offset giant tax 
cuts for the rich that are supposed to grow our economy and create jobs. 

But what kind of economy will we have if our power grid is compromised, or if 
people are afraid to fly because the computers that run our air-traffic have been 
hacked, or if we lost the Internet shopping industry? We need to make smart invest- 
ments now. We need to make sure our agencies are communicating well and cov- 
ering all bases, and filling in security gaps. 

We are in a massive restructuring now of all of our nation’s homeland security 
efforts. We cannot do this in the dark. We need congressional insight and oversight. 
We need public and private sector input. And we need guidance from the top, from 
the Administration. 

I look forward to the dialogue. Thank you. 

Chairman Boehlert. Thank you very much. For the purpose of 
an introduction, the Chair recognizes Mr. Miller of North Carolina. 

Mr. Miller. Thank you, Mr. Chairman. I am pleased to intro- 
duce Dr. Charles McQueary, who is here and I believe is a con- 



14 


stituent, so — although I think as we were chatting just before the 
Committee began, have you now moved within Greensboro? 

Dr. McQueary. Yes, I have. 

Mr. Miller. And where do you now live? 

Dr. McQueary. I now live in the Grandover complex, which I be- 
lieve is Congressman Coble — if I am not mistaken. 

Chairman Boehlert. The gentleman’s time is expired. 

Mr. Miller. Well, I have this all prepared. I might as well go 
ahead. 

Chairman Boehlert. Please do. 

Dr. McQueary. But I still do — I do own a home in your district, 
though, as you point out, that I haven’t sold it yet. 

Mr. Miller. And I will speak — I hope you will speak to whoever 
buys the home and mention my name to them. Well, my former 
constituent, Dr. McQueary, is well regarded in Greensboro in both 
the business community and in — for his civic work. In the private 
sector, he was the president of the General Dynamics Advanced 
Technology Systems. That company focused on electro-optic under- 
sea systems, networking and decision support systems, active con- 
trol systems, and signal processing solutions and software solu- 
tions. I am told that that was a good job for Dr. McQueary. He also 
was a respected member of the community for his civic leadership. 
He was a member of the Board of Trustees of North Carolina A&T, 
North Carolina State University. He was on the Guilford Technical 
Community College as President, CEO Advisory Board. He was 
chairman of Action Greensboro, a political — a public education ini- 
tiative, and a member of the Board of Guilford County Education 
Network. He was also chairman of the Board and a campaign chair 
for the United Way of Greensboro and a member of the Board of 
the World Trade Center of North Carolina. So I am pleased to wel- 
come my former constituent, Dr. McQueary. 

Dr. McQueary. Thank you. 

Chairman Boehlert. Mr. Hall was tempted to claim him for 
Texas. This is Dr. McQueary’s first visit to the Committee, and we 
welcome him here. I gave you the privilege, Mr. Miller, of 
introducing 

Mr. Hall. Mr. Chairman, we all own Dr. Colwell, though. 

Dr. Colwell. Thank you, sir. 

Chairman Boehlert. The other three witnesses are all good 
friends of long standing and have appeared many times and are 
valuable resources for the Committee, but this is your maiden voy- 
age, Dr. McQueary, and we wish you smooth sailing. I avoided in- 
troducing you, because this committee created the position of 
Under Secretary for Science and Technology, because we thought 
it was so important. And I was so pleased that the Administration 
agreed with that and Governor Ridge did, also. But I wasn’t sure 
if I was — I would be well-received in introducing you, because I am 
not sure if you want to thank me or shoot me right about now, be- 
cause you have got a most demanding position. But we are glad to 
have you here. 

And we are always pleased to see Dr. Rita Colwell back. This 
Committee has worked long and well with you. And we are very 
proud of your outstanding accomplishments and the work of the 
National Science Foundation. And with NIST, Dr. Arden Bement, 
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a good friend of long standing. We have a special relationship, too, 
and we are glad to welcome you back. And Dr. Tether, it is good 
to see you back. 

I think we should all appreciate the fact that we have four criti- 
cally important people performing exceptional service for the Na- 
tion in their positions. And so we anxiously await your testimony. 
We will start with you, Dr. McQueary. You are first up. 

STATEMENT OF DR. CHARLES E. McQUEARY, UNDER SEC- 
RETARY FOR SCIENCE AND TECHNOLOGY, DEPARTMENT OF 

HOMELAND SECURITY 

Dr. McQueary. Thank you. Good morning, Chairman Boehlert, 
Congressman Hall, and all Members of the Committee. It is a 
pleasure for me to accept the opportunity to be with you today and 
discuss the cyber security R&D from a Homeland Security perspec- 
tive. It is an honor and a great responsibility to lead the Depart- 
ment of Homeland Security’s scientific efforts to meet the chal- 
lenges of securing the technology supporting our nation’s infra- 
structures, loosely referred to as “cyber”. And I do want to say 
thank you for having created this position, and it is an honor for 
me to be the first person to fill the position. And I do thank you 
for the work that this committee did in forming that group. 

An important mission of the Science and Technology Directorate 
is to develop and deploy leading technologies and capabilities so 
those who serve to secure the Homeland can perform effectively 
and efficiently. This Directorate will respond, then, to the needs 
and requirements in this area from within the Department. 

The threats to our Homeland are many. We must constantly 
monitor these threats and assess our vulnerabilities to them. We 
must develop new or improved capabilities to counter chemical, bio- 
logical, radiological, nuclear, explosive, and cyber threats and miti- 
gate the effects of terrorist attacks, should they occur. 

The Science and Technology Directorate’s program must also en- 
hance the conventional missions of the Department to protect and 
provide assistance to civilians in response to national disasters, law 
enforcement needs, and other activities. Thus, Science and Tech- 
nology’s key specific areas of emphasis are as follows: develop and 
deploy state-of-the-art, high-performance, low operating cost sys- 
tems to prevent the illicit traffic of radiological and nuclear mate- 
rials and weapons into and within the United States. The second 
item is to provide state-of-the-art, high-performance, low operating 
cost systems to rapidly detect and mitigate the consequences of the 
release of biological and chemical agents. Third, provide state-of- 
the-art, high-performance, low operating cost systems to detect and 
prevent illicit, high-explosive transit into and within the United 
States. Fourth, enhance the missions of all of the departmental 
operational units through targeted research, development, test and 
evaluation, and systems engineering and development. Fifth, de- 
velop and provide capabilities for protecting cyber and other critical 
infrastructures. The sixth item is to develop capabilities to prevent 
technology surprise by anticipating emerging threats. And last, de- 
velop, coordinate, and implement technical standards for chemical, 
biological, radiological, and nuclear countermeasures. 
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This Directorate will implement its activities through focused 
portfolios that address biological, chemical, radiological, nuclear, 
and cyber threats; secondly, support the research and development 
needs of the operational units of the Department; and last, receive 
innovative input from private industry and academia as well as na- 
tional and federal laboratories. 

Now allow me to specifically address the Science and Technology 
Directorate in response to cyber security concerns. The operational 
responsibility for this mission within Homeland Security resides 
with the Under Secretary for Information Analysis and Infrastruc- 
ture Protection. The Under Secretary for Science and Technology 
carries the responsibility for ensuring that the necessary research, 
development, test and evaluation activities are carried out to sup- 
port the IAIP mission in cyber security. In practice, the term “cyber 
security” is broadly defined within the community. S&T uses “cyber 
security” to mean “securing the availability, integrity, and con- 
fidentiality of those services provided through technology, such as 
hardware and software systems connected to public and private 
networks that support the critical infrastructures”. 

Our approach to cyber security is essentially to apply the tech- 
nology that supports the infrastructures. To address cyber security 
issues, we recognize that R&D efforts are one facet of a larger mo- 
saic that includes elements, such as identification and mitigation 
of the threat, industry partnership and compliance, and physical 
security. 

Today, there are many cyber security R&D efforts underway and 
more yet to be established that address a range of cyber security 
issues. These represent opportunities for Science and Technology, 
our organization, to leverage existing work in order to address 
those needs and technology gaps that Department of Homeland Se- 
curity identifies as important to securing the Homeland. 

We have started to work with familiarization and coordination 
across the federal sector. During the DHS transition and start-up 
period, members of the Transition Team began to participate in the 
INFOSEC Research Council. Members of this Council include 
DARPA, the NIST, and National Science Foundation, and it is our 
method of coordinating with the community on this topic. 

Additionally, within our staff for Homeland — for the Science and 
Technology Directorate, we have detailees from NIST, the Secret 
Service, National Science Foundation, and NSA to help craft a na- 
tional strategy in cyber R&D that is required by the Homeland Se- 
curity Act and to identify areas for investment that would be car- 
ried out by Science and Technology. 

One of the S&T’s key areas of emphasis is our role in estab- 
lishing DHS technical standards, which will establish DHS per- 
formance criteria for acceptable cyber security — cyber protection 
technologies. Currently, there is a Memorandum of Understanding 
nearing completion for signature between DHS and the technical 
administration of the Department of Commerce. This MOU is an 
agreement to work together to develop common standards to sup- 
port U.S. industry and the Department of Homeland Security. 

As I noted earlier, it is this Directorate’s role to support the 
needs and requirements of DHS and, in particular, those defined 
by the Information Analysis and Infrastructure Protection Direc- 
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torate to provide an enduring resource and ensure the — to provide 
an enduring resource and assure that the necessary RDT&E activi- 
ties are carried out. 

To support the IAIP mission in cyber security, we intend to cre- 
ate a DHS R&D cyber security center. The DHS R&D cyber secu- 
rity center will team with, through partnership and cooperation, 
with those representatives here at this table with me today. This 
center will provide DHS focus for R&D activities and leverage the 
many, many cyber security RDT&E efforts underway in the defense 
and intelligence, academic, and private laboratory communities. We 
see this as a critical — this is critical to coordinate the resources and 
efforts across the government R&D community to accelerate tech- 
nical capabilities that address DHS priorities. 

The center will have five primary roles or functions as follows. 
The center will promote and coordinate cyber security research, in- 
novation, invention, and evaluation in support of the DHS mission 
needs. It will develop strategic research and development programs 
and create testing and evaluation programs to address specific gaps 
in U.S. cyber security capabilities. For example, a unique feature 
of the center will be the utilization of existing or the development 
of new test beds where cyber security methods, tools, and ap- 
proaches can be exercised in a controlled environment and evalu- 
ated against common, accepted standards. 

Developing the test beds and measurement performance stand- 
ards will be an element of the center’s program. It will provide 
communication and coordination among various public and private 
organizations dealing with the many diverse aspects of cyber secu- 
rity. The center will foster national and international cooperation 
in creating a robust and defensible cyber security infrastructure. It 
will support the operational needs of the IAIP Directorate relative 
to vulnerability assessments and new tools and methods for en- 
hancing cyber security. In addition to responding to DHS research, 
development, test, and evaluation needs, the center will provide 
emergency response and reach-back capabilities to on-call technical 
experts to support rapid vulnerability mitigation in response to 
cyber threats. It will cooperate with the National Science Founda- 
tion to foster educational programs and curriculum development to 
help ensure the Nation has the necessary human resources to 
present — who possess the requisite knowledge and skills to ad- 
vance and secure the Nation’s cyber infrastructure. This will be 
done in conjunction with participating universities, who will serve 
as a nucleus for creating the next generation of scientists and engi- 
neers. 

In closing, I would like to thank the Members of the Science 
Committee for the opportunity to speak with you today about the 
Science and Technology concept for addressing cyber security re- 
search and development. We will work hard to partner with the 
community to address the needs and requirements of DHS as well 
as those gaps that exist between the many significant projects al- 
ready developed. S&T is determined to support the mission of DHS 
to protect the critical infrastructures of this nation by working to 
secure the technology that supports them. 
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Mr. Chairman and Members of the Committee, this concludes my 
prepared remarks, and I would be happy to take any questions that 
you might have at this time. 

[The prepared statement of Dr. McQueary follows:] 

Prepared Statement of Charles E. McQueary 

Good morning Chairman Boehlert, Congressman Hall, Congressmen and Members 
of the Committee. It is a pleasure for me to accept your invitation to be with you 
today to discuss cyber security R&D. It is an honor and great responsibility to lead 
the Department of Homeland Security (DHS), Science and Technology Directorate’s 
efforts to meet the challenges of securing the technology supporting our nation’s in- 
formation technology infrastructures, often termed “cyber.” An important mission of 
this Directorate is to develop and deploy leading technologies and capabilities so 
those who serve to secure the homeland can perform effectively and efficiently — they 
are my customers. This Directorate will respond then to the needs and requirements 
in this area from within the department. 

The threats to our homeland are many. We must constantly monitor these threats 
and assess our vulnerabilities to them; develop new or improved capabilities to 
counter chemical, biological, radiological, nuclear, explosive and cyber threats; and 
mitigate the effects of terrorists attacks should they occur. The Science and Tech- 
nology (S&T) Directorate’s program must also enhance all of the Department’s mis- 
sions, whether or not they are focused on the threat of terrorism. 

Throughout the initial planning process for the S&T Directorate we have been 
guided by current threat assessments, our understanding of capabilities that exist 
today or that can be expected to appear in the near-term, and, importantly, by the 
priorities spelled out in the President’s National Strategies for Homeland Security, 
Physical Protection of Critical Infrastructures and Key Assets and to Secure Cyber- 
space. 

Thus Science and Technology’s key specific areas of emphasis are to: 

1. Develop and deploy state-of-the-art, high-performance, low-operating-cost 
systems to prevent the illicit traffic of radiological/nuclear materials and 
weapons into and within the United States. 

2. Provide state-of-the-art, high-performance, low-operating-cost systems to rap- 
idly detect and mitigate the consequences of the release of biological and 
chemical agents. 

3. Provide state-of-the-art, high-performance, low-operating-cost systems to de- 
tect and prevent illicit high explosives transit into and within the United 
States. 

4. Enhance missions of all Department operational units through targeted re- 
search, development, test and evaluation, and systems engineering and de- 
velopment. 

5. Develop and provide capabilities for protecting cyber and other critical infra- 
structures. 

6. Develop capabilities to prevent technology-surprise by anticipating emerging 
threats. 

7. Develop, coordinate and implement technical standards for chemical, biologi- 
cal, radiological and nuclear countermeasures. 

We have requested $803M in FY04 to provide applied research, development, 
demonstrations, and testing of products and systems that address these key areas 
of emphasis. This directorate will implement its activities through focused portfolios 
that address biological, chemical, radiological and nuclear, and cyber threats; sup- 
port the research and development needs of the operational units of the Depart- 
ment; and receive innovative input from private industry and academia as well as 
national and federal laboratories. In particular, the Homeland Security Advanced 
Research Projects Agency (HSARPA) will have an essential role in meeting the goals 
and objectives of the Department and the Directorate across the range of the port- 
folios. 

Allow me now to specifically address the Science and Technology Directorate 
(S&T) response to critical infrastructure protection concerns, including cyber secu- 
rity. Consistent with law and policy, the operational assistance and advisory role 
and responsibilities for certain elements of cyber security resides with the Under 
Secretary for Information Analysis and Infrastructure Protection (IAIP). The Under 
Secretary for S&T carries the responsibility for ensuring that the necessary re- 
search, development, test and evaluation (RDT&E) activities are carried out to sup- 
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port the IAIP mission in cyber security. In practice, the term “cyber security” is 
broadly defined within the community. S&T uses “cyber security” to mean securing 
the availability, integrity and confidentiality of those services provided through tech- 
nology such as hardware and software systems, connected to public and private net- 
works (i.e., voice, data and Internet Protocol networks) that support the critical in- 
frastructures. Our concern with cyber security is essentially applied to the tech- 
nology that supports the infrastructures. To address cyber security concerns, we rec- 
ognize that R&D efforts are an element of a larger mosaic that includes elements 
such as identification and mitigation of the threat, industry partnership and compli- 
ance, and physical security. 

Today there are many cyber security R&D efforts already underway, and more yet 
to be established, that address a range of cyber security issues. These represent op- 
portunities for S&T to leverage existing work in order to address both those needs 
and technology gaps for the Federal Government and industry as important to se- 
curing the Homeland. Federal gaps are identified through annual agency and In- 
spector General reports required under the Federal Information Security Manage- 
ment Act. Vulnerability assessments will also help identify federal gaps. There is a 
wide array of technologies that address many needs today not only in government 
laboratories, but also throughout the commercial sector. However, the existence of 
many hard and currently unsolved problems, and the changing nature of the threat, 
will require an ongoing research effort. 

We have started the work of familiarization and coordination across the federal 
sector. During the DHS transition and startup period, members of the transition 
team began to participate in the Infosec Research Council. Membership in this coun- 
cil includes DARPA, NIST and NSF; and it is our means of coordinating with the 
community on this topic. In addition, we have been in communication with the Of- 
fice of Science and Technology Policy, and will be participating in the interagency 
R&D coordination activities of the National Science and Technology Council. 

One of S&T’s key areas of emphasis is our role in establishing DHS technical 
standards, which will establish DHS performance criteria for acceptable cyber-pro- 
tection technologies. Currently, there is a Memorandum of Understanding presented 
for signature between DHS and the Technology Administration at the Department 
of Commerce; this MOU is an agreement to work together to develop common stand- 
ards to support U.S. Industry and DHS. We will work closely with NIST in this en- 
deavor, and have a person on staff detailed from NIST to address cyber security pro- 
grams and standards. 

As I noted earlier, it is this directorate’s role to support the needs and require- 
ments of DHS, in particular those defined by the IAIP Directorate. The Science and 
Technology directorate carries the responsibility for ensuring that the necessary 
RDT&E activities are carried out to support the IAIP mission in cyber security. To 
provide an enduring resource to help meet our mission and responsibilities, we in- 
tend to create a DHS R&D Cyber Security Center. 

The DHS Cyber Security R&D Center will team through partnership and coopera- 
tion with NSF and NIST. This center will provide a DHS focus for R&D activities 
and leverage the many cyber security RDT&E efforts underway in the defense and 
intelligence, academic and private laboratory communities. We see this as critical 
to coordinate the resources and efforts across the government R&D community to 
accelerate technical capabilities that address DHS priorities. 

The center will have five primary roles or functions, as follows: 

• Promoting and coordinating cyber security research, innovation, invention 
and evaluation in support of the DHS mission needs. It will develop strategic 
research and development programs, and create testing and evaluation pro- 
grams to address specific gaps in U.S. cyber security capabilities. For exam- 
ple, a unique feature of the Center will be the utilization of existing, or the 
development of new, test beds where cyber security methods, tools, and ap- 
proaches can be exercised in a controlled environment and evaluated against 
common, accepted standards. Developing the test beds and measurement-per- 
formance standards will be an element of the Center’s program. 

• Providing communication and coordination among various public and private 
organizations dealing with the many diverse aspects of cyber security. The 
Center will foster national and international cooperation in creating a robust 
and defensible cyber infrastructure. 

• Supporting the operational needs of the IAIP directorate relative to vulner- 
ability assessments and new tools and methods for enhancing cyber security. 

• Cooperating with NSF to foster educational programs and curriculum devel- 
opment to help ensure the Nation has the necessary human resources who 
possess the requisite knowledge and skills to advance and secure the Nation’s 
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cyber infrastructure. This will be done in conjunction with participating uni- 
versities who will serve as a nucleus for creating the next generation of sci- 
entists and engineers. 

Although much of the S&T portfolio will be focused on very difficult problems re- 
quiring extensive research, a portion of the program will be dedicated to addressing 
nearer-term problems in support of DHS mission requirements. In addition to estab- 
lishing the center through FY03 funding, S&T will begin work on the following spe- 
cific areas: 

• Supporting the U.S. Secret Service National Threat Assessment Center and 
CERT/Coordination Center at Carnegie Mellon University on a comprehen- 
sive assessment of Insider Threats and defense strategies. 

o The need to identify and mitigate the insider threat is critical to the 
physical and cyber security plans of the critical infrastructures of the 
United States. 

o Reducing the ability of inside actors to assist outside threats will provide 
increased security to the critical infrastructures of this country. 

• Conducting a feasibility study for trace-back and geo-location of source attack. 

° The watch and warning mission of the IAIP directorate requires the abil- 
ity to identify and track the source location of cyber attackers. 

o This study will determine the status of currently available trace-back and 
geographical location technology, capability gaps, and potential policy im- 
plications. 

• Developing patch verification technology in support of IAIP’s patch manage- 
ment efforts to accelerate the speed with which cyber-protection software up- 
dates are evaluated, validated, and applied to civilian organizations. 

° Computer network attacks have historically exploited known, published 
vulnerabilities. All of the infected systems were without the appropriate 
patches in time to close the vulnerabilities and ensure protection. As a 
result, there was significant economic impact and resource availability 
issues to the private businesses that participate in the critical infrastruc- 
ture of this country. 

o Many times the failure to apply the patch was a result of time required 
to test the patch against a duplicate of a critical system to ensure there 
would be no negative impact on business or government critical services. 
The goal of this project is to provide an efficient, low cost solution to this 
problem. 

o This study will determine the feasibility of this technology and rec- 
ommend potential solutions for further RDT&E. 

• Expanding development of technologies for detecting covert threats that carry 
the risk of creating major disruption to critical infrastructures such as finan- 
cial systems before they are discovered. 

o Existing intrusion and threat detection systems utilizing signature based 
identification often provide false positives or large amounts of log data 
so that their effectiveness has diminished in the overall cyber security ar- 
chitecture. The benefits of the next-generation intrusion detection system 
will identify and categorize all intrusions regardless of the threat signa- 
ture. 

o This project will begin research, development, test and evaluation on 
next generation detection systems. 

• Conducting a feasibility study for the scalability and technology application 
of Secure Border Gateway Protocol and Secure Domain Name Services. 

o The Secure Border Gateway Protocol and Secure Domain Name Services 
protocol seek to secure two vulnerable protocols, on which the movement 
of network traffic is depends. 

o This study will determine the feasibility and scalability of these protocols 
on existing network infrastructure; and make any recommendations on 
the need for further RDT&E if required. 

We are therefore taking steps in S&T to establish key relationships with the 
major cyber security R&D organizations to provide a focus for DHS technology inno- 
vation and capability development in a new Center, and have defined initial projects 
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in support of the Secret Service and IAIP near-term needs. As the IAIP Directorate 
begins to define its long-term goals and needs, we will leverage other federally fund- 
ed activities, academia, and private industry to provide solutions. 

In closing, I would like to thank the Members of the Science Committee for the 
opportunity to speak with you today about the Science and Technology concept for 
addressing cyber security research and development. We will work with diligence 
to partner with the R&D community to address the needs and requirements of DHS, 
as well as those gaps that exist between the many productive projects already devel- 
oped. S&T is determined to support the mission of DHS to protect the critical infra- 
structures of this nation by working to secure the technology that supports them. 

Mr. Chairman and Members of the Committee, this concludes my prepared state- 
ment. I would be pleased to address any questions you may have. 

Biography for Charles E. McQueary 

On January 10 President Bush announced his intention to nominate Dr. Charles 
E. McQueary to be Under Secretary for Science and Technology. 

Most recently, Dr. McQueary served as President, General Dynamics Advanced 
Technology systems, in Greensboro, N.C., a company that focuses on electro-optic 
undersea systems, networking and decision support systems, active control systems, 
signal processing solutions and software solutions. 

Prior to General Dynamics, Dr. McQueary served as President and Vice President 
of business units for AT&T, Lucent Technologies, and as a Director for AT&T Bell 
Laboratories. 

In addition to his professional experience, Dr. McQueary has served his commu- 
nity in many leadership roles — as Chair of the Board, and Campaign Chair, of the 
United Way of Greensboro; Member of the Board of Trustees of North Carolina Ag- 
ricultural and Technical (A&T) State University; Member of the Guilford Technical 
Community College (GTCC) President’s CEO Advisory Committee; Member of Board 
of World Trade Center North Carolina; Chair for Action Greensboro Public Edu- 
cation Initiative; and as a Member of the Board of Guilford County Education Net- 
work. 

Dr. McQueary holds both a Ph.D. in Engineering Mechanics and an M.S. in Me- 
chanical Engineering from the University of Texas, Austin. The University of Texas 
has named McQueary a Distinguished Engineering Graduate. 

Chairman Boehlert. Thank you very much. You are now a vet- 
eran testifying 

Dr. McQueary. Thank you. 

Chairman Boehlert [continuing]. Before the Science Committee. 

Dr. McQueary. Thank you. 

Chairman Boehlert. Welcome back, Dr. Colwell. You are up 
next. 

STATEMENT OF DR. RITA R. COLWELL, DIRECTOR, NATIONAL 
SCIENCE FOUNDATION 

Dr. Colwell. Mr. Chairman and Members of the Committee, I 
appreciate the opportunity to appear before you today to discuss 
the importance of improving the security of our information infra- 
structure. 

Last November, as a result of your strong leadership, Mr. Chair- 
man, Congress enacted and the President signed into law the Cyber 
Security Research and Development Act of 2002. This law author- 
izes important research and education activities to protect the Na- 
tion’s critical information technology systems against failures from 
accident or attack. NSF is fully supportive of this action. 

NSF’s attention to cyber security dates back to at least 1978 with 
an investment in cryptography that led to the public key infra- 
structure that is widely used to secure cyber transactions today. In 
2001, and I would point out September 6, 2001, we established a 
trusted computing research program to focus attention on the con- 
tinuing need for research in this area. In 2002, we saw a rapid rise 
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in cyber security interest by the research community. And this 
year, I have to tell you, we are dealing with a flood of proposals 
as I previously shared with you. The Cyber Security Research and 
Development Act provides us with new authority and an additional 
sense of urgency to expand our capacity to guard against attacks 
on our nation’s computer and network systems. 

Let me briefly share with you the current state of NSF funding 
for cyber security research, tell you where we are — what we are 
doing, and then indicate where we are going. When the appropria- 
tion process was completed in February, our Cyber Directorate dou- 
bled its funding for research to $30 million. In addition, the NSF 
Federal Cyber Service — Scholarships for Service program provides 
$11 million to increase the production of information assurance and 
computer security professionals. A total of about $53 million is fo- 
cused on cyber security, because NSF clearly understands the ur- 
gency of the need for cyber security. With these investments, NSF 
is focusing on discovery, learning, and innovation to secure today’s 
systems, to embed contemporary security principles and practices 
in all aspects across the board of cyber systems design in many — 
in all disciplines, and to prepare a world-class workforce of infor- 
mation technology professionals with state-of-the-art security skills 
that span research all the way to operations. 

Beginning in 2004, the entire suite of cyber security activities 
will be managed under one integrated, crosscutting program called 
“Cyber Trust.” The Cyber Trust portfolio of awards will include a 
range of multidisciplinary, multi-investigator awards, as well as 
the more focused single investigator awards. And we believe this 
will ensure the NSF’s whole investment in cyber security research 
and education is greater than simply the sum of its parts. 

In order to generate innovative approaches to the complex com- 
puter and network security problems that our nation faces, NSF 
will fund projects of sufficient scope and scale to foster multidisci- 
plinary collaboration between computer scientists, engineers, math- 
ematicians, and social science researchers. We will make awards 
that range in size from single investigator grants to multi-investi- 
gator center-scale awards of up to $3 million. Now this portfolio of 
Cyber Trust investments will ensure that a powerful mix of cut- 
ting-edge research is funded through a number of competitive 
awards. 

NSF will also inform the community of opportunities to compete 
for the center-scale awards in these, and other related areas, 
through programs like the STC’s, the science and technology cen- 
ters, the engineering research centers, and the Industry/University 
Cooperative Research Centers. 

Now I would like to point out that we changed the title “Cyber 
Trust,” because our understanding is that the public not only 
wants their information systems to be secure, but they want to be 
able to trust them in all kinds of situations. As a simple example, 
they need to be able to trust the data, their data, will be kept pri- 
vate. NSF believes that a highly collaborative and inclusive coordi- 
nated effort is necessary to overcome the many technological chal- 
lenges that are inherent in securing the Nation’s cyber systems. 
Accordingly, NSF will seek to establish a multi-sector cyber secu- 
rity partnership, a public/private partnership that will allow NSF 
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to develop strategic frameworks to guide future research and edu- 
cation investments in the field, investments that must be made by 
both the public and the private sectors. 

NSF will engage key federal agencies in the partnership endeav- 
or, and we have already begun to do so in discussions with NIST. 
We will draw on the current interagency efforts in this area. The 
coordination has begun strongly with NIST, because NIST has the 
powerful connections to industry. In addition, NSF staff are very 
active in formal interagency activities that support cyber security 
collaborations, like the INFOSEC Research Council and the 12- 
agency Networking and Information Technology Research and De- 
velopment Interagency Working Group. We refer to this as NITRD, 
which NSF chairs. The Working Group, we chair. 

NSF will convene a series of workshops this summer to engage 
researchers, educators, and practitioners in finding the most effec- 
tive ways to build capacity and to build it quickly. The workshops 
will also examine implementation strategies to support faculty 
trainee-ships in cyber security. These are programs that will enable 
existing Ph.D.s to pursue academic careers in cyber security. 

And we scheduled the meeting for mid-August to facilitate multi- 
disciplinary research and education activities by bringing together 
all of the principal investigators, the Pis, from the newly integrated 
Cyber Trust program. Now this group of Pis will form a research 
collaboration network, which will facilitate interaction between 
groups of investigators to communicate and coordinate research ef- 
forts across disciplinary, organizational, institutional, and geo- 
graphical boundaries. And the network can then be coupled to the 
NIST activities to speed up the practical application of the research 
efforts. 

Mr. Chairman, the Cyber Security Research and Development Act 
addresses a very, very critical need for our nation. NSF is appre- 
ciative of the confidence you have expressed in us to lead this ef- 
fort, and we intend to build on that confidence. And we will make 
sure that all of the funds we are allocated and appropriated will 
be very well used. We eagerly look forward to working with you 
and your staff to ensure that all of the goals of the Act are fulfilled. 

Thank you. 

[The prepared statement of Dr. Colwell follows:] 

Prepared Statement of Rita R. Colwell 

Mr. Chairman and Members of the Committee, I appreciate the opportunity to ap- 
pear before you today to discuss the importance of improving the security of our in- 
formation infrastructure. Last November, as a result of the strong leadership that 
you provided, Congress enacted the Cyber Security Research and Development Act 
(Public Law 107-305) of 2002. This law authorizes important research and edu- 
cation activities to build our capacity to gird the Nation’s critical information tech- 
nology systems against failures from accident or attack. 

The Cyber Security Research and Development Act accurately focuses on the need 
for research, enhanced integration of activities from the diverse disciplines that im- 
pact our ability to secure our systems, and production of computer professionals 
with the requisite skills needed to implement the latest cyber security techniques. 

NSF agrees wholeheartedly with this focus and we are moving expeditiously to 
address these needs, both through focused investments with current year appropria- 
tions and by carefully fashioning plans for implementation in FY 2004 and beyond. 

Persistent Challenges and Preceding Actions 

Computers and networked systems are ubiquitous in our society. Over the past 
decade, the Internet has grown tremendously, from its early state as a small net- 
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work of academicians, into a full-fledged vital information infrastructure that Amer- 
icans rely on as much as they rely on electricity, water, and roadway networks. En- 
tire sectors of our economy run minute-to-minute mission critical operations over 
nationally and internationally networked systems. The increase in our reliance on 
these systems, combined with the increased threat of malicious attack, has shed 
new light on the importance of generating new knowledge to secure them. New 
knowledge workers are also needed to deploy and operate these systems safely and 
reliably. 

Today’s computing and communications infrastructure does many things well, but 
suffers from a number of flaws and weaknesses that make it less than dependable, 
particularly in the case of attacks. These shortcomings include (1) latent flaws in 
widely distributed software, (2) decreasing diversity of software components, (3) poor 
technical means for managing security infrastructure, (4) inadequate technical con- 
trols for needed collaboration policies, (5) lack of convenient, scalable, strong au- 
thentication, and (6) inadequate security mechanisms for new technologies. Further, 
the infrastructure lacks effective means for detecting when these flaws and weak- 
nesses are exploited, and for responding when such exploitations are detected. 

It is appropriate that government devote substantial public resources to develop 
knowledge and capabilities in the area of cyber security. Market pressures tend to 
emphasize time-to-market of software and systems. Often IT products are released 
with known flaws that weaken reliability of the system and may create severe 
vulnerabilities. Improving the quality and diminishing the costs associated with em- 
bedding security principles into all cyber systems design and development will be 
essential to our success. 

NSF has a longstanding commitment to creating new knowledge that will improve 
the security of our nation’s computer and network infrastructure. NSF attention to 
cyber security dates back to a 1978 investment in cryptography, which led to the 
public key infrastructure that is widely used for secure cyber transactions today. 
Our expanded FY 2003 investments in Trusted Computing, Data and Applications 
Security, Network Security and the Federal Cyber Service programs shows how our 
sense of urgency in this field has grown. With the passage of the Cyber Security Re- 
search and Development Act, Congress has allowed us to act on this sense of urgency 
and expand the Nation’s capacity to guard against attacks on our computer and net- 
work systems. 

Current Year Actions 

Mr. Chairman, you and this committee were an important part of the support for 
the appropriation increase that NSF received in February. Cyber security research 
funding has increased by $15 million over FY 2002 to reach $30 million. With the 
Scholarships for Service program, this brings the agency’s total FY 2003 investment 
in cyber security to $41 million. 

A Strategic Approach 

In short NSF seeks to enable discovery, learning and innovation that will: 

• Secure today’s systems; 

• Embed contemporary security principles and practices in all aspects of cyber 
systems design and development of tomorrow’s systems; and 

• Prepare a world-class workforce of information technology professionals, with 
state-of-the-art security skills spanning research to operations. 

NSF will do so, informed by the interests and efforts of its partners in the cyber 
security field, including those in academe, industry and other government agencies. 

Our investments are guided by three core strategies that have proven effective 
across all science and engineering domains. 

1. Develop intellectual capital. 

NSF invests in cyber security activities, including multidisciplinary projects, 
which enhance the individual and collective capacity to contribute cyber security 
solutions, thus building cyber security capacity for many years to come. The agen- 
cy uses its competitive, merit-review process to ensure that only research and 
education projects of the highest quality are funded. 

2. Integrate research and education. 

NSF investments in cyber security integrate research and education, assuring 
that findings and methods of cyber security research are quickly and effectively 
communicated in a broader context, to a larger audience and are thus more effec- 
tively embedded in practice. 

3. Promote Partnerships. 
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Effective collaboration and partnerships between researchers, educators and prac- 
titioners in academe, industry and government will enable the timely trans- 
formation of research outcomes into technological innovation that will secure crit- 
ical cyber systems resident in both the public and private sectors. NSF has a 
strong institutional tradition of enabling partnerships among the Nation’s leading 
scientists, engineers and educators. In convening researchers, educators, and 
other stakeholders we draw on the expertise and deliberations of a vigorous and 
critical scientific community, exposing new ideas and building consensus for them. 

In FY 2003 and beyond, NSF will build on and increase coordination between the 
activities that we have supported for some years. Beginning in FY 2004, the entire 
suite of cyber security activities will be managed under one integrated, cross-cutting 
program called Cyber Trust. 

I would note that we chose the title “Cyber Trust” because our understanding is 
that the public not only wants their information systems to be secure, but that they 
want to trust them in all kinds of situations. As a simple example, they need to 
be able to trust that data will be kept private. 

The Cyber Trust portfolio of awards will include a range of multidisciplinary, 
multi-investigator awards, as well as more focused single investigator awards. This 
will ensure that NSF’s whole investment in cyber security research and education 
is greater than the sum of its parts. 

In order to generate innovative approaches to the complex computer and network 
security problems that our nation faces, NSF will fund projects of sufficient scope 
and center-scale to foster multidisciplinary collaboration between computer sci- 
entists, engineers, mathematicians, and social science researchers. Awards will 
range from single investigator types to multi-investigator awards of up to 
$3,000,000. This portfolio of Cyber Trust investments will ensure that a rich mix 
of cutting-edge research is funded. NSF will also inform the community of opportu- 
nities to compete for center-scale awards in these and related areas through activi- 
ties like the Science and Technology Center, Engineering Research Center, and In- 
dustry/University Cooperative Research Center programs. 

Identification and Coordination of Cyber Security Priorities 

NSF, in its discussions with the scientific and engineering community, has identi- 
fied five vital research areas at the frontier: 

1. Manageable security 

2. Empirical cyber security studies 

3. Cyber security foundations 

4. Cyber security for next generation technology 

5. Cyber security across disciplines 

These research areas include and are representative of the many research areas 
included in Section 4(a) of the Act. 

NSF believes that a highly collaborative and inclusive, coordinated effort is nec- 
essary to overcome the many technological challenges inherent in securing the Na- 
tion’s cyber systems. Only by drawing upon the expertise resident in relevant stake- 
holder organizations, including industry, academia, and government, and by align- 
ing the interests and investments of these broad stakeholder groups, can we ensure 
that the best solutions are identified and enacted to protect the Nation’s vital infor- 
mation technology resources. 

Accordingly, NSF will seek to establish a multi-sector cyber security partnership. 
The partnership will allow NSF to develop a strategic framework to guide future 
research and education investments in the field; investments likely to be made by 
both the public and the private sectors. 

NSF will engage key federal agencies in the partnership endeavor, by drawing on 
current interagency efforts in this area. For example, NSF staff are very active in 
formal interagency activities that support cyber security collaborations, such as in 
the Networking and Information Technology Research and Development (NITRD) 
Interagency Working Group (IWG) that includes representatives from the Defense 
Advanced Research Projects Agency, the Department of Defense, the National Secu- 
rity Agency, and others. 

Dr. Peter Freeman, the NSF Assistant Director for Computer and Information 
Science and Engineering (CISE) has talked with Dr. Arden Bement to establish for- 
mal collaboration between NSF and NIST in the area of cyber security and program 
staff will carry the coordination forward. As chair of the NITRD IWG Dr. Freeman 
has also met with Dr. David Nelson, Director of the National Coordination Office 
for NITRD, to discuss ways to enhance the coordination activities of the IWG in the 
area of cyber security. 
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Demonstrating further NSF leadership in cyber security, an NSF/CISE Program 
Officer co-chairs the High Confidence Software and Systems program coordination 
area of NITRD. This subgroup is working to define the federal portfolio of cyber se- 
curity research and development, and will identify gaps. NSF will draw upon the 
work of this group to inform its future research investments. 

NSF also bas a long tradition of working with industry partners in science and 
engineering. By encouraging strong industry participation in the development of a 
cyber security research and education framework, and in the subsequent funding of 
appropriate research and education activities, NSF hopes to improve both the trans- 
fer of new knowledge into the marketplace and the capacity of current and future 
generations of IT and information assurance professionals. 

Capacity Building 

To establish the partnership, NSF will convene a series of workshops to begin in 
summer 2003. These workshops will engage researchers, educators and practitioners 
representing academic, industry, and government stakeholder organizations to de- 
velop community consensus on cyber security research and education needs and op- 
portunities. In addition to refining research opportunities, the workshops will focus 
on integration, scale, and capacity building. 

The first workshops planned are described below. 

1. Comprehensive Cyber Security Needs Assessment 

In August 2003, NSF will convene an invitational workshop of academic, indus- 
trial, and government leaders to help assess the needs and identify the strategies 
necessary to prepare a world-class cyber security workforce. In order to facilitate 
educational innovation in cyber security, design concepts for new cyber security-re- 
lated curricula will be devised. Implementation strategies will be discussed to deter- 
mine the best way to deliver cyber security education to a broad audience. Strate- 
gies will focus on curriculum for three levels of education: 

o Bachelor’s/Associate’s degree programs to prepare systems administration 
and IT security operations professionals, 
o Bachelor’s and Master’s degree programs to prepare systems design and de- 
velopment professionals with specified skills in security, 
o Ph.D. programs to prepare researchers and educators for careers in informa- 
tion security. 

The workshop will also examine implementation strategies to support faculty 
traineeships in cyber security. These programs will enable recent Ph.D. graduates 
to pursue academic careers in cyber security. 

Following this workshop, NSF will assess the extent to which its current capacity- 
building programs address the needs defined by the workshop attendees. For exam- 
ple, the Advanced Technology Education (ATE) centers are comprehensive national 
or regional cooperative efforts involving two-year colleges, four-year colleges and 
universities, secondary schools, business, industry, and government. This program 
might serve as a valuable model for other such activities in the future. In the mean- 
time it will provide a potential platform for cyber security activities at the Bach- 
elor’s and Associate’s degree levels. 

I should also note that the Federal Cyber Service: Scholarships for Service (SFS) 
program “seeks to increase the number of qualified students entering the fields of 
information assurance and computer security and to increase the capacity of the 
United States higher education enterprise to continue to produce professionals in 
these fields to meet the needs of our increasingly technological society.” This pro- 
gram directly addresses the future needs of the Federal Government for access to 
skilled information security Bachelor’s, Master’s, and Ph.D. recipients. The program 
also provides funding to schools to “improve the quality and increase the production 
of information assurance and computer security professionals through professional 
development of information assurance faculty and the development of academic pro- 
grams.” 

2. Cyber Security Community 

In order to facilitate multidisciplinary research and education activities, NSF will 
convene a meeting of all Principal Investigators (Pis) from the newly integrated 
Cyber Trust Program. This group of Pis will form a Research Collaboration Net- 
work. The RCN will facilitate interaction between groups of investigators, to com- 
municate and coordinate research efforts across disciplinary, organizational, institu- 
tional, and geographical boundaries. It will lead to integration of the research activi- 
ties of scientists working independently on cyber security topics of common interest, 
to nurture a sense of community among cyber security researchers, to attract new 
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scientists to the field, and to minimize isolation and maximize cooperation in re- 
search, training, outreach and educational activities. Together, the members of this 
network will explore further means by which to address the complex issues faced 
by the cyber security community as a whole. 

The Cyber Security Research and Development Act addresses a critical weakness 
in the security of our nation. NSF is appreciative to the Committee for extending 
its confidence to us. We look forward to working with you to ensure that the goals 
of the Act are fulfilled. 


Biography for Rita R. Colwell 

Dr. Rita R. Colwell became the 11th Director of the National Science Foundation 
on August 4, 1998. 

Since taking office, Dr. Colwell has spearheaded the agency’s emphases in K-12 
science and mathematics education, graduate science and engineering education/ 
training and the increased participation of women and minorities in science and en- 
gineering. 

Her policy approach has enabled the agency to strengthen its core activities, as 
well as establish support for major initiatives, including Nanotechnology, Biocom- 
plexity, Information Technology, Social, Behavioral and Economic Sciences and the 
21st Century Workforce. In her capacity as NSF Director, she serves as Co-chair 
of the Committee on Science of the National Science and Technology Council. 

Under her leadership, the Foundation has received significant budget increases, 
and its funding recently reached a level of more than $4.8 billion. 

Before coming to NSF, Dr. Colwell was President of the University of Maryland 
Biotechnology Institute, 1991-1998, and she remains Professor of Microbiology and 
Biotechnology (on leave) at the University Maryland. She was also a member of the 
National Science Board from 1984 to 1990. 

Dr. Colwell has held many advisory positions in the U.S. Government, non-profit 
science policy organizations, and private foundations, as well as in the international 
scientific research community. She is a nationally respected scientist and educator, 
and has authored or co-authored 16 books and more than 600 scientific publications. 
She produced the award-winning film, Invisible Seas, and has served on editorial 
boards of numerous scientific journals. 

She is the recipient of numerous awards, including the Medal of Distinction from 
Columbia University, the Gold Medal of Charles University, Prague, and the Uni- 
versity of California, Los Angeles, and the Alumna Summa Laude Dignata from the 
University of Washington, Seattle. 

Dr. Colwell has also been awarded 26 honorary degrees from institutions of higher 
education, including her Alma Mater, Purdue University. Dr. Colwell is an honorary 
member of the microbiological societies of the UK, France, Israel, Bangladesh, and 
the U.S. and has held several honorary professorships, including the University of 
Queensland, Australia. A geological site in Antarctica, Colwell Massif, has been 
named in recognition of her work in the polar regions. 

Dr. Colwell has previously served as Chairman of the Board of Governors of the 
American Academy of Microbiology and also as President of the American Associa- 
tion for the Advancement of Science, the Washington Academy of Sciences, the 
American Society for Microbiology, the Sigma Xi National Science Honorary Society, 
and the International Union of Microbiological Societies. Dr. Colwell is a member 
of the National Academy of Sciences. 

Born in Beverly, Massachusetts, Dr. Colwell holds a B.S. in Bacteriology and an 
M.S. in Genetics, from Purdue University, and a Ph.D. in Oceanography from the 
University of Washington. 

Chairman Boehlert. Thank you very much. And thank you very 
much for giving us some precise figures. And Dr. McQueary, when 
we get back to you, we would like some figures, if we may. 

Dr. Bement. 

STATEMENT OF DR. ARDEN L. BEMENT, JR., DIRECTOR, NA- 
TIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, 
TECHNOLOGY ADMINISTRATION, U.S. DEPARTMENT OF 
COMMERCE 

Dr. Bement. Thank you, Chairman Boehlert. It is good to be 
back. I want to thank you, Mr. Hall, and Members of the Com- 
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mittee for allowing me to testify today about the contributions of 
NIST to strengthen the Nation’s cyber security. Let me congratu- 
late you for your tremendous leadership in advancing robust pro- 
grams to protect our nation’s information infrastructure from at- 
tack. 

We at NIST fully agree with the Committee that helping to en- 
sure the confidentiality, integrity, trust, and availability of civilian 
information is essential to the functioning of our economy. The 
Cyber Security R&D Act and FISMA emphasize NIST’s long-stand- 
ing statutory responsibilities for developing federal cyber security 
standards and guidelines and conducting related research. 

Let me review just a few of NIST’s activities and accomplish- 
ments. In 2001, Secretary Evans approved the Advanced 
Encryption Standard as a federal security standard. I am pleased 
to report that the AES is being actively adopted by voluntary 
standards bodies and implemented by vendors. In fact, over 70 
commercial implementations of the AES have already been vali- 
dated through our Cryptographic Module Validation Program. This 
program has also validated over 500 other modules and another 
100 or more are expected within the next year. 

To give you a sense of the quality improvement that the program 
achieves, statistics from the testing laboratories show that 48 per- 
cent of the modules brought in for voluntary testing had security 
flaws that were corrected during testing. In other words, without 
our program, the Federal Government would have had only a 50/ 
50 chance of buying correctly implemented cryptography. 

In support of our federal responsibilities, we have published se- 
curity guidelines for e-mail, firewalls, telecommuting, and business 
systems contingency planning. We have also published guidelines 
on certification and accreditation, which are key components need- 
ed for successfully implementing E-government and the new 
FISMA mandates for federal agencies. Hundreds of thousands of 
copies of our guidelines have been downloaded from our computer 
security resource center website. For example, over 400,000 copies 
of our contingency planning guide for information technology have 
been downloaded since its publication less than one year ago. 

Our guidelines and standards provide leadership to industry as 
well, as much as our work is voluntarily adopted by industry. Our 
Smart Card Interoperatability Specification has been adopted by 
federal agencies and is now being considered as an ANSI standard 
and eventually as an international standard. 

The complexity of systems is growing as components become 
smaller. And some of the biggest challenges are in ensuring the in- 
tegrity of information as it flows from component to component 
within a system. This is a major area of research on our horizon, 
so while we are moving ahead with critical tasks that are already 
on our agenda, we are giving new activities priority in our base 
program as resources become available. 

This is only a partial representation of our many cyber security- 
related projects and activities. Over the past three years, we have 
had appropriations of $26 million for grants, critical infrastructure 
protection, expert assist teams of which $5 million is recurring in 
NIST laboratory-based programs. And since 9/11, we have been 
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leveraging another $12 million in our Information Technology Re- 
search Program toward cyber security-related priorities. 

In summary, in fiscal year 2003, approximately $24 million is 
being directed toward cyber security research and related pro- 
grams. And I can report to you, Mr. Chairman, we have already 
moved out on many of the requirements specified for NIST under 
the Cyber Security R&D Act. 

With your permission, I would like to — and also in the interest 
of time, submit a list of our current activities for the record. 

[NOTE: The information referred to appears in Appendix 2: Addi- 
tional Material for the Record.] 

Chairman Boehlert. Without objection, so ordered. It will be in- 
cluded as part of your testimony. 

Dr. Bement. We accomplished our mission working side-by-side 
with our federal partners. NIST understands the Committee’s de- 
sire for greater interagency coordination and collaboration, and we 
have been reaching out to assist other federal agencies. As Dr. 
McQueary indicated, Under Secretary Bond will be meeting with 
him very soon, I think it is scheduled for May 19, to sign a Memo- 
randum of Understanding. This MOU will establish a formal mech- 
anism for NIST to cooperate with the Science and Technology Di- 
rectorate of DHS. We continue to have regular interactions with 
NSF and OSTP, and we have had a long and successful relation- 
ship with both DARPA and NS A. We are moving forward with the 
NRC study called for in the Cyber Security R&D Act. We have al- 
ready identified the Study Director and are ready to initiate this 
study, and I am pleased to say that DARPA will be joining with 
us in conducting this study. 

Not all of our work has been accomplished from within the Fed- 
eral Government. NIST awarded $5 million to nine grant recipients 
in intrusion detection, telecommunications, wireless security, elec- 
tric power infrastructure, and compiler security, and we are expect- 
ing important advances from this grant program. 

In conclusion, I continue to view cyber security research and de- 
velopment as having high priority for NIST and the Nation. NIST 
takes its role in cyber security seriously, and we will work with the 
Committee to ensure that we are able to carry out our mandate to 
work with industry, academia, and standards development organi- 
zations to assure the secure flow of vital and sensitive information 
throughout our society. 

Mr. Chairman, I am grateful to you and this committee for your 
support of NIST’s programs, and this concludes my prepared re- 
marks. 

[The prepared statement of Dr. Bement follows:] 

Prepared Statement of Arden L. Bement, Jr. 

Chairman Boehlert, Mr. Hall, and Members of the Committee, thank you for this 
opportunity to testify today about the contributions of the National Institute of 
Standards and Technology (NIST) to strengthen the Nation’s cyber security. Let me 
congratulate you for your tremendous leadership in advancing robust programs to 
protect our nation’s information infrastructure from attack. I know that Technology 
Administration Under Secretary Phil Bond and I look forward to working very close- 
ly with you to turn your visions into reality. I would like to address the questions 
you asked in your invitation to testify and tell you about the many important cyber 
security activities currently underway at NIST. 
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Protecting our nation’s critical infrastructure is of critical importance to our econ- 
omy and our well-being. The terrorist attacks of September 11, 2001 brought to the 
forefront the Nation’s physical and economic vulnerability to an attack within our 
borders. Among the Nation’s vulnerabilities are the computer and communications 
networks on which the country’s financial, transportation, energy, and water sys- 
tems and health and emergency services depend. These critical are the underpin- 
ning of the Nation’s infrastructure and commerce. The Los Angeles Times in a re- 
cent editorial emphasized the importance of meeting this challenge: “A 
cyberterrorist attack would not carry the same shock and carnage of September 11. 
But in this information age. . .[a cyberterrorist attack] could be more widespread 
and just as economically destructive.” We will not be able to address these 
vulnerabilities without applied research and development of enabling technologies 
in cyber security. 

The success of the Internet — connecting more than 100 million computers and 
growing — has far outstripped its designers’ wildest expectations. Although the Inter- 
net was not originally designed to control power systems, connect massive databases 
of medical records or connect millions of homes, today it serves these functions. It 
was not designed to run critical safety systems but it now does that as well. We 
rely heavily on an open system of networks, so complex that no one person, group 
or entity can describe it, model its behavior or predict its reaction to adverse events. 
The porous nature of the U.S. network infrastructure leaves the Nation, including 
critical federal systems, open to the constant possibility of cyber attacks. Such at- 
tacks include the massive distributed denial of service attacks that overwhelm serv- 
ers with access requests; defacement of web sites and the modification of electroni- 
cally stored information to spread disinformation and propaganda; “Zombies” that 
use computers (located anywhere) as conduits for wide-scale distribution of destruc- 
tive worms and viruses; and, unauthorized intrusions and sabotage of systems and 
networks, potentially resulting in critical infrastructure outages and corruption of 
vital data. 1 

Helping to ensure the confidentiality, integrity and availability of civilian informa- 
tion is essential to the functioning of our economy and indeed to our democracy. 
And, to this end, NIST has had a long-standing and successful role in working with 
federal agencies and industry by ensuring the protection of non-national security re- 
lated cyber and information systems through standards and guidelines development, 
testing methodologies, conformity assessment and complementary supporting re- 
search. 

In 2001, Secretary Evans approved the Advanced Encryption Standard (AES) as 
a federal security standard. I am pleased to report that the standard is being ac- 
tively adopted by voluntary standards bodies and implemented by vendors. In fact, 
over 70 commercial implementations of the AES have already been validated 
through our Cryptographic Module Validation Program. 

Enactment of the Cyber Security Research and Development Act (CSRDA) of 2002 
and the Federal Information Security Management Act (FISMA) of 2002 has rein- 
forced our long-standing statutory responsibilities for developing federal cyber secu- 
rity standards and guidelines and conducting commensurate security research. We 
fully appreciate and are grateful for the trust and support provided by the House 
Science Committee to NIST in assigning us responsibility for these critical roles. We 
see both of these new important laws as a “vote of confidence” in our past work and 
an expectation of continuing successful achievements in the future. 

Today I would like to review new statutory assignments to NIST, provide you an 
overview of NIST’s cyber security activities, and discuss some of the challenges we 
continue to confront. 

NIST Responsibilities Under the Cyber Security Research and Development 
Act of 2002 

Under the legislation, NIST is assigned responsibilities to 

• Establish a program of assistance to institutions of higher education that 
enter into partnerships with for-profit entities; 

• Institute a program to award post-doctoral research fellowships to individuals 
seeking cyber security research positions; 

• Develop checklists that minimize security risks associated with Federal Gov- 
ernment computer hardware or software systems; 


CNET News, “Calculating the Cost of Slammer,” Robert Lemos, February 3, 2003. 
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• Ask the National Research Council of the National Academy of Sciences to 
study the vulnerabilities of the Nation’s infrastructure and to make rec- 
ommendations for appropriate improvements; 

• Support and consult with the Information System Security and Privacy Advi- 
sory Board, which has the mission to identify emerging issues related to com- 
puter security, privacy, and cryptography; 

• Conduct intramural cyber security security research; and 

• Coordinate with NSF and OSTP on cyber security research. 

NIST Responsibilities Under the Federal Information Security Management 
Act (FISMA) of 2002 

Responsibilities assigned to NIST under FISMA include: 

• Developing IT standards for federal systems, 

• Conducting research to identify information security vulnerabilities and de- 
veloping techniques to provide cost-effective security; 

• Assessing private-sector policies, practices, and commercially available tech- 
nologies; 

• Assisting the private sector, upon request; and 

• Evaluating security policies and practices developed for national security sys- 
tems to assess potential application for non-national security systems. 

FISMA also contained a number of specific assignments, including development 
of: 

• Standards and guidelines to be used by federal agencies to categorize levels 
of information security according risk; 

• Minimum information security requirements, such as management, oper- 
ational, and technical security controls; 

• An Incident Handling Guideline and a Guideline to Identifying a System as 
a National Security System; 

• Security performance indicators; and 

• An annual public report of our FISMA activities. 

With these broad legislative mandates in mind, let me review NIST’s activities 
and accomplishments in the area of intramural research, security grants, and a 
planned National Research Council study. 

Recent NIST Intramural Cyber Security Accomplishments 

In addition to the extraordinary success of the Advanced Encryption Standard, 
NIST has made a number of major contributions to cyber security standards and 
guidelines, research, and testing in order to thwart the kinds of economically dis- 
abling attacks noted previously. Here are but a sampling of numerous successes and 
ongoing activities: 

Security Guidelines and Standards 

Our base program targets the development of standards and guidelines in support 
of our federal responsibilities. In 2002-2003, NIST published 12 security guidelines 
covering a wide variety of topics such as e-mail, firewalls, telecommuting and busi- 
ness systems contingency planning. We have also published 10 draft guidelines for 
review by federal departments and agencies as well as other interested organiza- 
tions and individuals concerning such topics as certification and accreditation, 
awareness and training, and considerations in Federal Information technology pro- 
curements. The certification and accreditation guidelines are a key component need- 
ed for successful implementation of the e-government and FISMA mandates for fed- 
eral agencies. Additionally, we have issued numerous NIST Information Technology 
Laboratory (ITL) Bulletins during the last year to provide guidance to agencies and 
others on a broad list of topics. Our guidelines and standards provide leadership to 
industry as much of our work is voluntarily adopted in industry. For example, our 
Smart Card Interoperability Specification has been adopted by federal agencies and 
is now being considered for adoption by an ANSI Standards committee and eventu- 
ally as an international standard. All of our work is posted on our Computer Secu- 
rity Resource Center website. Hundreds of thousands of copies of our guidelines 
have been downloaded from this online site. For example, over 400,000 copies of our 
Contingency Planning Guide for Information Technology have been downloaded 
since its publication less than a year ago. 
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Security Testing 

I mentioned previously the Cryptographic Module Validation Program through 
which a number of new algorithms that use the Advanced Encryption Standard are 
being tested. The CMVP as it is known is operated in conjunction with the Govern- 
ment of Canada’s Communication Security Establishment. The Cryptographic Mod- 
ule Validation Program has now validated over 500 modules with another 100 or 
more expected within the next year. This successful program utilizes private-sector 
accredited laboratories to conduct security conformance testing of cryptographic 
modules against the cryptographic federal standards NIST develops and maintains. 
To give you a sense of the quality improvement that the program achieves, consider 
that our statistics from the testing laboratories show that 48 percent of the modules 
brought in for voluntary testing had security flaws that were corrected during test- 
ing. In other words, without our program, the Federal Government would have had 
only a 50/50 chance of buying correctly implemented cryptography! 

In addition, in recent years we have worked to develop the “Common Criteria” 
which can be used to specify security requirements. These requirements are then 
used by private-sector laboratories, accredited by NIST, for the voluntary evaluation 
of commercial products needed for the protection of government systems and net- 
works. This work is undertaken in cooperation with the Defense Department’s Na- 
tional Security Agency in our National Information Assurance Partnership (NIAP). 
You may be aware that the National Strategy to Secure Cyberspace calls for a review 
of the NIAP. We have begun staff discussions with NSA to identify ways we might 
improve the process, through research, process changes, and to understand the re- 
sources needed for NIAP to fully succeed. 

Access Control 

One of the basic tenets of IT security is controlling access to vital IT resources — 
answering the question, “who is allowed to do what?” A NIST research team created 
a new approach to controlling user access, called Role-Based Access Control (RBAC). 
What is most striking about RBAC is its rapid evolution from a theoretical model 
to commercial implementation and deployment. An independently conducted NIST- 
sponsored economic impact study, estimated that RBAC will soon be used by some 
30 million users for access to sensitive information. Further, the study estimated 
that RBAC technology will save the U.S. software development industry $671 mil- 
lion, and that NIST was responsible for 44 percent of the savings. 

And, there are many, many other activities too numerous to describe here, includ- 
ing significant efforts in the critical areas of the security of systems controlling the 
U.S. Critical Infrastructure, mobile device security, network security, and security 
awareness. We also need to be aware of specific needs of our federal customers and 
work closely with them to achieve our mission. For example, OMB has asked us to 
assist in the preparation of E -Authentication technical guidelines in support of the 
E-Government initiatives. And, there are related areas of research, such as bio- 
metrics (under mandates from the USA Patriot Act) and computer forensics (used 
to build evidence for court cases against terrorists) in which NIST is making ex- 
traordinary contributions to the Nation’s efforts to secure the critical infrastructure 
of the country. So, in addition to our $10M base funding for cyber security, we lever- 
age another $14M to enable the use of technologies that support the Nation’s cyber 
infrastructure. 

But, even with our very active program and considerable interactions with indus- 
try and federal agencies, the list of critical tools still to be developed is daunting. 
The need for trustworthy computing systems is a theme we hear from various eco- 
nomic sectors on a daily basis — from financial institutions, from health care profes- 
sionals, from owners and operators of utility companies — all are in need of mecha- 
nisms by which they can be assured that the information they exchange is available, 
confidential and that its integrity is assured. And, the complexity of systems is 
growing as components become smaller, and systems on a chip become ubiquitous, 
some of the biggest challenges are in ensuring the integrity of information as it 
flows from component to component within a system. This is a major area of re- 
search on our horizon. So, while we move ahead with critical tasks that already are 
on our agenda, we will give new activities priority in our base program as resources 
are available. 

Interaction with Other Federal Government Agencies 

We accomplish our mission working side by side with our federal partners. NIST 
understands the Committee’s desire for greater interagency coordination and col- 
laboration for successful science and technology initiatives and we have been reach- 
ing out to supplement and assist other federal agencies. Our Technology Adminis- 
tration is preparing a Memorandum of Understanding with the Science and Tech- 
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nology Directorate of the Department of Homeland Security (DHS) which will be 
signed by Under Secretary Bond and DHS Under Secretary McQueary. This MOU 
will establish a formal mechanism for NIST to cooperate with DHS in fulfilling their 
many homeland security responsibilities including cyber security R&D. The MOU 
is being prepared for signature by the two departmental bureaus on May 19. We 
have detailed one NIST senior scientist to the DHS S&T Directorate to assist with 
standards efforts and to avoid duplication of effort. Also, we have regular inter- 
actions with NSF and OSTP, for example in the INFOSEC Research Council (IRC). 
The IRC provides a community-wide forum to discuss critical information security 
issues, convey the research needs of their respective communities, and describe cur- 
rent research initiatives and proposed courses of action for future research invest- 
ments. Additionally, we have also invited NSF representatives to meet with our In- 
formation System Security and Privacy Advisory Board at its June meeting. We 
have had a long and successful relationship with DARPA in a number of research 
areas, particularly in areas of networks, biometrics and language recognition tech- 
nologies. 

National Research Council Study of Network Vulnerabilities 

As mandated by CSRDA, we are also moving forward with a National Research 
Council study to review the vulnerabilities and inter-dependencies in our critical in- 
frastructure networks and identify appropriate research needs and associated re- 
source requirements. Working with our NRC colleagues we have already identified 
a study director and are ready to initiate this study. 

Cyber Security Research Grants 

Now, not all of our work has been accomplished from within the Federal Govern- 
ment. NIST has provided twelve cyber security research grants in the past: one to 
the Critical Infrastructure Protection Project; nine under the NIST 2001 Critical In- 
frastructure Protection Grants Program, and two to the Institute for Information In- 
frastructure Protection (I3P) at Dartmouth College’s Institute for Security and Tech- 
nology Studies. 

NIST Critical Infrastructure Protection Grants Program 

In September 2001, NIST awarded $5M to nine grant recipients under the FY 
2001 Critical Infrastructure Protection Grants Program (CIPGP) to improve the 
robustness, resilience, and security information in all the critical infrastructures. 
Under the competitive grant application process, we received 133 proposals request- 
ing roughly $73M from applicants in both industry and academia. We selected pro- 
posals in intrusion detection, telecommunications, wireless security, electric power 
infrastructure, and compiler security. 

Funded research addresses a variety of topics to include tools and methods for 
analyzing security and detecting attacks due to vulnerabilities introduced by merg- 
ing of data networks (i.e., the Internet) and voice networks (i.e., the public switched 
telephone network). Other topics addressed are attack detection for wireless and 
converged networks, the development of security controls for protecting the North 
American power grid, and methods for evaluating intrusion detection systems. 

While results are still preliminary from the Grants program and some projects 
will not be completed due to a discontinuation of program funding in FY 2002, we 
will still produce important results especially in the wireless area, converged data/ 
IP networks and security of the electric power infrastructure. 

Cyber Security Funding Increases 

NIST takes its cyber security responsibilities very seriously and we appreciate 
your confidence in our abilities as witnessed by passage of the Cyber Security Re- 
search and Development Act and the Federal Information Security Management Act 
(FISMA). We also appreciate that in FY 2003 Congress provided $1M in funding for 
operation of our Computer Security Expert Assist Team capability, and approxi- 
mately $2M for wireless security and networks via our Program to Accelerate Crit- 
ical Information Technologies initiative. 

The President’s FY 2004 budget request includes increased funding for two exist- 
ing NIST program areas related to cyber security research: 

Biometrics Standards 

The FY 2004 request includes $1M specifically for standards for biometric identi- 
fication in continuing support of the USA PATRIOT Act to develop a national bio- 
metric identification system, using unique physical characteristics such as finger- 
prints, facial features, and eye patterns, to accurately identify people entering the 
United States or applying for visas. With the funding requested, NIST will help to 
develop effective, efficient, and interoperable biometric identifier standards, certifi- 
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cation tests, guidelines, and techniques for fingerprint and face recognition and 
verification. 

Quantum Information Systems 

The FY 2004 $3M requested for work in quantum information science will also 
have significant cyber security benefits. Quantum mechanics, the strange behavior 
of matter on the atomic scale, provides an entirely new and uniquely powerful way 
for computing and communications, potentially replacing the current binary com- 
puting and digital communications based on ones and zeros, and could have enor- 
mous impacts in homeland security. Quantum computers could perform processing 
tasks that are currently impossible. They also could solve problems that conven- 
tional computers could not manage given realistic amounts of time, memory, and 
processing power. 

This enormous computational power would be particularly valuable in cryptog- 
raphy, making codes that would be unbreakable by the best supercomputers of to- 
morrow, or breaking codes in seconds that could not be cracked in years by the most 
powerful binary computers. Quantum information also can be used for remarkably 
secure communications. In this particular area, we are partnering closely with 
DARPA. 

With the requested funding, NIST will work to develop the measurements and 
standards infrastructure (hardware and software) critical to the development of a 
quantum communications system. This includes methods to test and verify the ac- 
tual performance characteristics of these systems, to determine their security prop- 
erties, and to enable integration of such systems into the existing communications 
infrastructure. 

In conclusion, NIST takes its role in cyber security seriously and will work with 
the Committee to ensure that we are able to carry out our mandate to work with 
industry, academia, and standards development organizations to assure the secure 
flow of vital and sensitive information throughout our society. These examples of 
our work and accomplishments demonstrate NIST’s commitment to cyber security, 
across the government and the Nation. They also demonstrate the base upon which 
NIST hopes to build our efforts. It is an absolutely critical national need, and it is 
fundamental to providing the technical testing, standards and guidelines needed to 
protect our information infrastructure. 

I am grateful to Chairman Boehlert for holding this hearing, and for his support 
of NIST’s programs. 

This concludes my prepared remarks. 

I will be pleased to answer your questions. 

Biography for Arden L. Bement, Jr. 

Arden L. Bement, Jr., was sworn in as the 12th Director of NIST on Dec. 7, 2001. 
Bement oversees an agency with an annual budget of about $812 million and an 
on-site research and administrative staff of about 3,000, complemented by a NIST- 
sponsored network of 2,000 locally managed manufacturing and business specialists 
serving smaller manufacturers across the United States. Prior to his appointment 
as NlST director, Bement served as the David A. Ross Distinguished Professor of 
Nuclear Engineering and head of the School of Nuclear Engineering at Purdue Uni- 
versity. He has held appointments at Purdue University in the schools of Nuclear 
Engineering, Materials Engineering, and Electrical and Computer Engineering, as 
well as a courtesy appointment in the Krannert School of Management. He was di- 
rector of the Midwest Superconductivity Consortium and the Consortium for the In- 
telligent Management of the Electrical Power Grid. 

Bement came to his position as NIST director well versed in the workings of the 
agency, having previously served as head of the Visiting Committee on Advanced 
Technology, the agency’s primary private-sector policy adviser; as head of the advi- 
sory committee for NIST’s Advanced Technology Program; and on the Board of 
Overseers for the Malcolm Baldrige National Quality Award. 

Bement joined the Purdue faculty in 1992 after a 39-year career in industry, gov- 
ernment, and academia. These positions included: Vice President of Technical Re- 
sources and of Science and Technology for TRW Inc. (1980-1992); Deputy Under 
Secretary of Defense for Research and Engineering (1979-1980); Director, Office of 
Materials Science, DARPA (1976-1979); Professor of Nuclear Materials, MIT (1970- 
1976); Manager, Fuels and Materials Department and the Metallurgy Research De- 
partment, Battelle Northwest Laboratories (1965-1970); and Senior Research Asso- 
ciate, General Electric Co. (1954-1965). 

Along with his NIST advisory roles, Bement served as a member of the U.S. Na- 
tional Science Board, the governing board for the National Science Foundation, from 
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1989 to 1995. He also chaired the Commission for Engineering and Technical Stud- 
ies and the National Materials Advisory Board of the National Research Council; 
was a member of the Space Station Utilization Advisory Subcommittee and the 
Commercialization and Technology Advisory Committee for NASA; and consulted for 
the Department of Energy’s Argonne National Laboratory and Idaho Nuclear En- 
ergy and Environmental Laboratory. 

He has been a director of Keithley Instruments Inc. and the Lord Corp. and was 
a member of the Science and Technology Advisory Committee for the Howmet Corp. 
(a division of ALCOA). 

Bement holds an engineer of metallurgy degree from the Colorado School of 
Mines, a Master’s degree in metallurgical engineering from the University of Idaho, 
a doctorate degree in metallurgical engineering from the University of Michigan, 
and a honorary doctorate degree in engineering from Cleveland State University. He 
is a member of the U.S. National Academy of Engineering. 

Chairman Boehlert. Thank you very much. And thank you for 
the kind words about the Committee’s leadership in this area. I 
guess the question we have is is there a follower-ship, and we will 
address that in the questions. 

Dr. Tether, welcome back. And I hope in your testimony you will 
enlighten us as to why we are moving in the wrong direction with 
respect to funding in DARPA for cyber security or Cyber Trust, as 
we now occasionally refer to it. 

Dr. Tether. Thank you very much, Chairman Boehlert, Mem- 
bers of the Committee. I am pleased to be here to discuss our work 
in cyber security, which we really refer to as “information assur- 
ance.” If you would, please, accept my written testimony for the 
record. 

Chairman Boehlert. Without objection, the entire written state- 
ments will appear in the record in their entirety, and we appreciate 
the others summarizing, and we would welcome your summary, but 
we are not being arbitrary with the five minutes, so don’t get nerv- 
ous about the green light, red light. It is just to see if we are color- 
blind. 

STATEMENT OF DR. ANTHONY J. TETHER, DIRECTOR, 
DEFENSE ADVANCED RESEARCH PROJECTS AGENCY 

Dr. Tether. As you know, DARPA’s mission is to maintain the 
technological superiority of the U.S. military by sponsoring high 
payoff research that basically bridges the gap between fundamental 
discoveries and the — their military use. The testimony goes into a 
little bit more detail of how we go about doing that, so I won’t both- 
er to go into that. 

However, all of — DARPA is a very low-overhead organization. I 
would say about 98 percent of the money that is appropriated to 
us literally goes out to performers, and only about $100 million, or 
I will say three billion is really for security, operating the building, 
operating DARPA, paying for salaries. All the rest goes out to per- 
formers. These performers are mostly industry, but there are uni- 
versities and also government labs involved. Now in doing that, we 
really — we partner with the services quite heavily. In fact, we con- 
tract to these performers through service organizations. 

A major service organization in this area, information assurance, 
is AFRL in Rome, New York, as you know. They are a great part- 
ner with us, and probably — and really carry the longevity of the 
projects. 
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Basically, we mine the talents and discoveries that are created 
by organizations, such as NSF. We collaborate with NSF at the 
Program Manager level primarily to make sure that we are aware 
of what new is happening. And what we try to do is we try to find 
when an idea is ripe to be taken from an idea to an application, 
to a product in itself. And that is what we do and that is what 
DARPA has done very successfully for nearly 45 years now. 

The military, however, is moving to what they are calling “net- 
work centric warfare.” And this requires — and this will require that 
we seamlessly network the organizations, weapon platforms, peo- 
ple, immediately upon entry into a theater. Now this allows us to 
plan and execute operations more quickly and effectively than op- 
ponents. We are able to be very agile with this network centric 
warfare. And the recent conflicts in Afghanistan and Iraq really 
have given you only a hint of the power of the network centric tech- 
niques that are coming to our military. 

However, while moving to a network centric warfare has created 
for us an enormous capability in — capability to handle — be very 
agile, it has also created a tremendous vulnerability. Basically, the 
network now must achieve the same availability, reliability, et 
cetera, that we used to enforce on our platforms, our weapon plat- 
forms itself. The network itself now has become the weapon. 

Our enemies are watching this, and our enemies know this. So 
our enemies are clearly going to go and attack the network in the 
future as they have attacked our platforms and so in the past. Be- 
cause of this, we are working hard on techniques and all to make 
sure that these networks can not be attacked because of the — if 
they are attacked, the whole — our whole capability goes down. Be- 
cause of that, this is one of the reasons why our work is becoming 
more classified now than it has been in the past, because this — the 
network itself is becoming a capability and if the vulnerabilities of 
those networks were known, obviously it would be easy for an 
enemy to attack them. And if the techniques that we were devel- 
oping to prevent from attacking them were known, then that is val- 
uable information as well to an aggressor. So that is one of the rea- 
sons why you will find that in the future more and more of our 
work in this area will, by definition, have to become classified. 

Because we are idea or project-oriented in the sense that we 
don’t work in general, we take ideas and we create a project, it 
sometimes appears that we don’t have a consistent thrust. But 
what you see — what I believe you are seeing are just the natural 
variations as projects are started and as projects are finished. It is 
true that from 2002 to 2004 it looks like our — at least our unclassi- 
fied budget is decreasing in this area. What you don’t have is the 
classified budget, and I would be happy to give that to you in a 
closed session. And if you saw that, you would see it probably 
wasn’t decreasing that 

Chairman Boehlert. I would be a little more comfortable. 

Dr. Tether. Yeah. And most of that, by the way, once again goes 
through AFRL in Rome, New York. But for example, as these 
projects variations, in the early ’90’s, somebody got an idea, “Well, 
let us not let the attackers in.” And the result of that research 
were firewalls. And all of the — most of the firewalls that you have 
now being used by people came from a DARPA program back in 
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the early ’90’s on the techniques to keep — just keep the attackers 
from ever getting in. However, it turns out that firewalls have 
flaws, and these flaws aren’t necessarily the firewalls, the people 
that implement them. 

So next we moved to detecting that an attack was going on and 
trying to limit the damage. However, in order to do this, we end 
up with high false alarm rates or false positives where we say an 
attack is going on and an attack really is not going on. So we devel- 
oped technology to greatly reduce that false alarm rate so that 
when an attack — we said an attack was going on, it truly was. 

Third, we finally — somebody had an idea that said, “Look, we 
can’t keep them out. We are getting pretty good at detecting these 
attacks, but what we really have to do now, because the networks 
are becoming, really, the weapon system, is learn how to operate 
through the attack.” In other words while the attack is ongoing to 
be able to still have the network operate, perhaps at a reduced ca- 
pability, but degrade more gracefully than just falling off the cliff 
because there was an attack going on. So we have technology devel- 
opments going on there. 

Some of the projects we have were listed in the testimony: Cyber 
Panel, Fault Tolerant Networks, Dynamic Coalitions, OASIS. And 
what we are doing is we are taking all of this technology and we 
are building a prototype system where we are going to be able to 
take our technology and implement it in a prototype network, a 
very large network, 400 nodes or so, typical of a military network, 
and then attack it and really be able to test our technology. Unfor- 
tunately, that will be, obviously, for obvious reasons, classified. 

So the last question is: Where are we going and what are our pri- 
orities? I believe that you asked that. As I said, we are focused on 
the problems that DOD must solve for network centric warfare. 
And these include problems not currently faced by the commercial 
world. DOD networks are — can be characterized as large, distrib- 
uted, mobile networks of networks becoming increasingly wireless. 
We are facing very sophisticated attackers. I mean, these aren’t 
just hackers going and erasing for mischief but really attackers 
whose life depends upon taking the network down. These networks 
have to assemble and reassemble on-the-fly, and they have to do 
this without any fixed infrastructure. In other words, we can’t go 
in and put towers up and then have the networks arrive. These 
networks have to basically be what is known as a peer-to-peer net- 
work where each node in itself becomes the relay for commu- 
nicating with other people. 

We are really far ahead of the commercial world in this regard, 
but there is great commercial interest in these DOD networks, es- 
pecially those that do not require a fixed infrastructure, and the 
reasons for that are obvious: cost. If we could have a cellular net- 
work that didn’t require the towers where each cell phone itself 
was a relay, you obviously have saved a lot of money on building 
the towers and also saved a lot of money in trying to get the towers 
put up. 

Now I know that — again, and I will close with that — you have 
been concerned about our level of funding, but let me assure you 
that we have, and will continue to have, a very robust program in 
information assurance, because we have to. The whole structure of 
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the DOD depends upon that. And while we are putting more em- 
phasis on the military’s specific problems, the work we are doing 
will have a long-term beneficial impact on the commercial world, 
mainly because we are developing all of the capability in industry, 
and industry will undoubtedly take that capability and go two ways 
with it: one for the military and also one for the commercial world. 

And with that, I will be glad to answer any questions you might 
have. 

[The prepared statement of Dr. Tether follows:] 

Prepared Statement of Anthony A. Tether 

Mr. Chairman, Committee Members, and staff: I am Tony Tether, Director of the 
Defense Advanced Research Projects Agency (DARPA). I am pleased to appear be- 
fore you today to talk about DARPA’s work to develop secure Defense networks and 
how that work relates to the subject of cyber security, or what we call information 
assurance. 

Some of you may not be familiar with DARPA, so let me begin by saying a few 
words about who we are and what we do. 

Since the time of Sputnik, DARPA has had a special mission within the Depart- 
ment of Defense (DOD): maintain the technological superiority of the U.S. military 
and prevent technological surprise from harming our national security. DARPA does 
this by sponsoring revolutionary, high-payoff research that bridges the gap between 
fundamental discoveries and their military uses. 

Let me tell you a little bit about how DARPA works. 

Imagine a science and technology (S&T) investment time-line that runs from 
“Near” to “Far,” indicative of how long it takes for an S&T investment to be incor- 
porated into an acquisition program. On the “Near side” of this timeline we have 
a lot of investment that represents most of the work of the Service S&T organiza- 
tions. This S&T tends to gravitate towards the Near side because the Services em- 
phasize providing technical capabilities critical to the mission requirements of to- 
day’s warfighter. This excellent work continuously hones U.S. military capabilities. 
However, it is typically focused on known systems and problems. 

In contrast, out at the other end of the investment timeline — we’ll call this the 
“Far side” — there is a much smaller investment that represents funding funda- 
mental discoveries, where new science, new ideas, and radical new concepts typi- 
cally first surface. People working on the Far side have ideas for entirely new types 
of devices, or new ways to put together capabilities from different Services in a revo- 
lutionary manner. But, the people on the Far side have a difficult, and sometimes 
impossible time obtaining funding from the larger, near side investors because of 
the near side’s focus on current, known, and pressing problems. 

DARPA was created to span the gap between these two groups. DARPA’s mission 
is to find the promising ideas (and people) out on the Far side and accelerate those 
ideas to the Near side as quickly as possible. DARPA emphasizes what future com- 
manders might want and pursues opportunities for bringing entirely new core capa- 
bilities into the Department. 

Hence, DARPA mines fundamental discoveries — the Far side — and accelerates 
their development and lowers their risks until they prove their promise and can be 
adopted by the Services. DARPA’s work is high-payoff precisely because it fills the 
gap between fundamental discoveries and their military use. 

What is surprising to many people, but entirely in-line with DARPA’s mission, is 
that only about five percent of DARPA’s research is basic research. Basic research, 
much of that “F ar side” investment, is primarily supported by organizations like the 
Office of Naval Research (ONR), the National Science Foundation (NSF), the Na- 
tional Institutes of Health (NIH), and the Department of Energy (DOE). 

Basic research creates new knowledge and technical capacity, whereas DARPA 
creates new capabilities for national security by accelerating that knowledge and ca- 
pacity into use. So we count on institutions like ONR, NSF, NIH, and DOE to pro- 
vide us with a feedstock of revolutionary technical concepts that we, at DARPA, can 
then develop and turn into revolutionary Defense capabilities. 

Through the years, DARPA has refocused its work in response to evolving na- 
tional security threats and technological opportunities, and DARPA’s Strategic Plan 
describes how we are pursuing our mission today. One of our eight strategic thrusts 
is Robust, Self-Forming Networks, which contains our work in information assur- 
ance. 

Let me briefly describe it to you: 
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DARPA’s Strategic Thrust in Robust, Self-Forming Networks 

The Department of Defense is in the middle of a transformation to what is often 
termed “network centric warfare.” In simplest terms, network centric warfare is 
when military organizations and systems are seamlessly networked to change the 
terms of any conflict to favor U.S. and coalition forces. It will allow the United 
States and our allies to go beyond a simple correlation of local forces by providing 
them better information and letting them plan and coordinate attacks far more 
quickly and effectively than our adversaries can. 

However, at the heart of this concept are survivable, assured, spectrum-agile com- 
munications at both the strategic and tactical levels. The goal of this work is a high 
capacity network that degrades softly under attack, while always providing a critical 
level of service. 

To support this vision, DARPA is conducting research in areas that include: (1) 
self-forming ad hoc networks; (2) high capacity, multiband, multimode communica- 
tions systems; (3) ultra-wideband communications; (4) spectrum sharing; (5) low 
probability of detection/intercept/exploitation communications; and, (6) information 
assurance or cyber security. 

I could spend pages describing our efforts in the first five areas. However, our 
focus today is cyber security, so let me turn to what we are doing to ensure that 
those military networks are secure and reliable. 

DARPA’s Information Assurance Research 

What we at DARPA call “information assurance” (often referred to as “cyber secu- 
rity”) is crucial to having the robust, self-forming networks required to successfully 
conduct network centric warfare. One must look no further than the ongoing Iraq 
War to see that the United States has been moving toward network-centric warfare. 

While people can debate the extent to which we have achieved network centric 
warfare, today’s U.S. military forces are unmistakably network-dependent. There- 
fore, the very first thing that a sensible adversary would do to asymmetrically ne- 
gate the U.S. force is take down our military networks. For quite some time, we 
have faced the very difficult problem of figuring out how to protect our military net- 
works. 

DARPA has had information assurance work going on in some form and by some 
name for decades. But, in the early 1990s we started to concentrate in earnest on 
the problem of information assurance, with the usual DARPA focus on solving ex- 
tremely hard problems. Initially, our emphasis was to secure hardwired computer 
networks. DARPA’s approach to solving the problem of information assurance 
evolved, over time, to a layered approach. 

The first layer that we worked on in the early 1990’s was preventing, or “locking 
out” cyber attacks. This resulted in the “firewalls” that are commonly available in 
the commercial world today. 

In fact, today’s commonly available commercial firewalls started with a DARPA 
project to protect the World Wide Web at the White House. The DARPA contractor 
that did this work published the firewall source code in the open literature, and 
from that work grew over a hundred firewall companies and an entire market for 
firewall products. 

The second layer in DARPA’s approach to information assurance has been detect- 
ing attacks and limiting their damage. In addition to intrusion detection, DARPA 
has more recently demonstrated both hundred-fold reduction in the false alarm 
rates that plague current intrusion detection systems, and the ability to detect new 
and novel forms of attack through anomaly based detection. Over the last two years, 
DARPA has demonstrated such detection capabilities in the field in major exercises 
such as the Navy Fleet Battle Experiment series. 

A third pursuit, and one that DARPA has been increasingly emphasizing, is devel- 
oping the ability to operate through cyber attacks. The simple logic here is that we 
simply cannot block all attacks, nor can we completely limit the damage from at- 
tacks. So we have to be able to continue operating while an attack is underway, in 
spite of the damage that the attack may inflict. 

Let me give you a flavor of where we are today in some of the information assur- 
ance programs that we are working on at DARPA right now: 

• The Cyber Panel program is working on ways to detect new attacks in real- 
time, including previously unknown attacks, predict what damage the attacks 
will inflict, and implement effective defenses. 

• The Fault Tolerant Networks program is working on ways to ensure that 
a network remains available, even during an attack, while restricting the net- 
work resources available to the attacker. In fact, this program has resulted 
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in a commercial product, Peakflow™, that is being used to protect against 
Distributed Denial of Service attacks. 

• The Dynamic Coalitions program is working on methods to quickly set up 
secure networks — a critical problem for today’s U.S. fighting forces. Some of 
this technology is being used in the joint DARPA-Army Future Combat Sys- 
tems program, a program that has network centric warfare as a starting as- 
sumption. 

• The Organically Assured and Survivable Information Systems (OASIS) 
program is working to provide a “last line of defense” by developing ways to 
enable critical DOD computers (as distinct from the network level) to operate 
through a cyber attack, degrade gracefully if necessary, and allow real-time, 
controlled trade-offs between system performance and system security 
through such techniques as redundancy and diversity of operating systems. 

A prototype military system to produce Air Tasking Orders for the U.S. Air Force 
is also being developed. The system, and the underlying information assurance tech- 
nology, will be tested in 2004 by subjecting it to a sustained cyber attack from a 
“red team.” 

Much of what we have done, particularly for wired systems, has proved useful in 
both commercial and military systems. But, our focus is the specific problems DOD 
needs solved for network centric warfare. 

The military-specific problems that we are working on go beyond those faced by 
the commercial world today. Military networks, more than commercial networks, in- 
volve large-scale, highly distributed, mobile networks-of-networks that are increas- 
ingly wireless, deal with time-critical problems, and face potential attackers who are 
extremely dedicated and sophisticated. Failure in military networks has extreme 
consequences. 

Moreover, network centric warfare involves networks that must assemble and re- 
assemble on-the-fly on an ad hoc basis without having a fixed or set infrastructure 
in-place. In effect, we must achieve what has been called, “critical infrastructure 
protection” without infrastructure. 

In the most advanced cases, these are peer-to-peer or “infrastructure less” net- 
works. There is no fixed, in-place network equipment — the whole network architec- 
ture is fluid and reassembles dynamically. It could be that, in the long-term, com- 
mercial networks will acquire some of these features, but, for now the Department 
of Defense is in the lead in facing these problems. 

DARPA is taking a broad-based view of information assurance. When we think 
about information assurance, we include technology such as communications secu- 
rity and encryption as part of our solution. The threat to military networks is not 
simply hackers, but organized and well resourced nation states that want to eaves- 
drop on military network traffic, or interfere with it at precisely the wrong time. 

In fact, information assurance in a world of growing network centric warfare must 
become a regular feature of most military programs — in the same sense that every- 
one building an airplane must consider materials, not only material scientists. 

A significant and growing element of DARPA’s work in information assurance is 
classified, and cannot be discussed in this forum. The future thrust is for more of 
these efforts to become classified. Why? Because of our increasing dependence on 
networks, their vulnerabilities and techniques for protecting them become more and 
more sensitive. Accordingly, our efforts have become classified. 

In the longer-term, I expect that DARPA’s strategic thrust in Cognitive Com- 
puting could also lead to important contributions to information assurance. While 
I cannot discuss it at length today, our Cognitive Computing thrust aimed at devel- 
oping computers and networks that are “self-aware” — that is, computers that actu- 
ally know what they’re doing and know what is happening to them. 

Future network-centric warfare systems will be able to leverage “self-aware” capa- 
bilities to determine when they are under attack and autonomically respond, and 
reconfigure themselves in much the same way as the human body reacts to an infec- 
tion. If such systems could be built, they should be able to do a much better job 
of protecting themselves because they will understand that they’re being attacked. 

I realize that there has been some concern about DARPA’s level of funding in the 
area of information assurance. For example, some have expressed the opinion that 
our budget for this effort is dropping drastically. 

Let me reassure you that we have a robust program in information assurance, 
and we plan to continue this robust program in the coming years. There are natural 
variations in our budget, and they are due to several factors such as when large 
programs like Fault Tolerant Networks and OASIS come to an end. 
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The budget structure does not always capture the great variety of information as- 
surance work going on, particularly when it is an integral part of another program, 
as it is in Future Combat Systems. And, there are the aforementioned classified pro- 
grams that obscure the budget picture. 

Thus, while we are putting more emphasis on military-specific problems, we will 
continue to have a robust program that will, in the long-term, have a broad, bene- 
ficial impact on the commercial world. 

Finally, I understand that a particular interest of the Committee is how we co- 
ordinate and disseminate the results of our research to other federal agencies and 
to the commercial world. 

Much of our interaction with industry stems from using companies as performers 
of our research, and the strong desire of smaller commercial firms to commercialize 
their technology. For instance, in 1999 DARPA foresaw the threat of Distributed De- 
nial of Service that hit Yahoo and e-Bay a few years later, and invested accordingly 
to create the Fault Tolerant Networks program. Today, the nascent market for solu- 
tions against this threat consists primarily of technologies that have their roots in 
DARPA research, technology that can protect the military, like the example I men- 
tioned earlier. 

DARPA also makes efforts to broadly communicate our results in a more struc- 
tured way by sponsoring the DARPA Information Survivability Conference and Ex- 
position (DISCEX) conferences. The audience at DISCEX is very broad, and it in- 
cludes the extended research community, the operational military, developers of 
military systems, and the commercial industry that generates the “off the shelf’ sys- 
tems that comprise most military information systems. 

Our goal in these meetings is to stimulate scientists, developers, and joint oper- 
ational customers with research products, experimental results, and capabilities 
emerging from DARPA research to better address the military’s needs for informa- 
tion security. The most recent conference included over 250 attendees with 60 re- 
searchers giving technology demonstrations and produced two volumes of technical 
proceedings. 

In addition, while many ideas on information assurance are being exchanged in- 
formally through the professional relationships between researchers and the U.S. 
Government officials who sponsor their work, DARPA is the primary sponsor of the 
Infosec Research Council (IRC), an informal coordinating body begun in 1996 that 
is comprised of U.S. Government members concerned with funding and conducting 
research in information security/information assurance/cyber security. The IRC 
members include DARPA, the National Security Agency, the National Science Foun- 
dation, the National Institute of Standards and Technology, the Department of En- 
ergy, and the Federal Aviation Administration. 

I should also mention the collaborations and consultations between NSF and 
DARPA personnel. This interaction goes beyond the simple exchange of technical in- 
formation that typically characterizes interagency information exchange programs. 

DARPA and NSF personnel for example co-fund particular projects where a true 
synergistic opportunity exists. NSF’s program, “Ultra-High-Capacity Optical Com- 
munications: Challenges in Broadband Optical Access, Materials Processing, and 
Manufacturing” has direct participation by DARPA personnel and a modest level of 
DARPA funding. NSF personnel likewise take part in DARPA source selection pan- 
els where similar technical interests can be found. 

NSF’s “Networking Research Testbeds Program” is of special interest to DARPA 
in that it offers the possibility of making available world-class network testbeds to 
DOD contractors and personnel. Network testbed collaboration meetings are now 
routinely held by DARPA and NSF program managers, and I expect that these 
testbeds will be very useful as we explore alternative architectures, systems and 
protocols for future optical networks; wireless networks based on spectrum sharing; 
distributed sensor networks; and networking in highly dynamic and/or harsh envi- 
ronments. We have also been having discussions with NSF personnel about our 
thrust in Cognitive Computing. 

The Department of Defense is steadily increasing its dependence on information 
systems that are crucial to our future vision of network centric warfare. I hope my 
remarks today have given you a sense of what DARPA is doing to ensure that those 
networks perform reliably and that they remain secure. 

I would be happy to answer your questions. 

Biography for Anthony J. Tether 

Dr. Anthony J. Tether was appointed as Director of the Defense Advanced Re- 
search Projects Agency (DARPA) on June 18, 2001. DARPA is the principal Agency 
within the Department of Defense for research, development, and demonstration of 
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concepts, devices, and systems that provide highly advanced military capabilities. As 
Director, Dr. Tether is responsible for management of the Agency’s projects for high- 
payoff, innovative research and development. 

Until his appointment as Director, DARPA, Dr. Tether held the position of Chief 
Executive Officer and President of The Sequoia Group, which he founded in 1996. 
The Sequoia Group provided program management and strategy development serv- 
ices to government and industry. From 1994 to 1996, Dr. Tether served as Chief 
Executive Officer for Dynamics Technology Inc. From 1992 to 1994, he was Vice 
President of Science Applications International Corporation’s (SAIC) Advanced 
Technology Sector, and then Vice President and General Manager for Range Sys- 
tems at SAlC. Prior to this, he spent six years as Vice President for Technology and 
Advanced Development at Ford Aerospace Corp., which was acquired by Loral Cor- 
poration during that period. He has also held positions in the Department of De- 
fense, serving as Director of DARPA’s Strategic Technology Office in 1982 through 
1986, and as Director of the National Intelligence Office in the Office of the Sec- 
retary of Defense from 1978 to 1982. Prior to entering government service, he served 
as Executive Vice President of Systems Control Inc. from 1969 to 1978, where he 
applied estimation and control theory to military and commercial problems with 
particular concentration on development and specification of algorithms to perform 
real-time resource allocation and control. 

Dr. Tether has served on Army and Defense Science Boards and on the Office of 
National Drug Control Policy Research and Development Committee. He is a mem- 
ber of the Institute of Electrical and Electronics Engineers (IEEE) and is listed in 
several Who’s Who publications. In 1986, he was honored with both the National 
Intelligence Medal and the Department of Defense Civilian Meritorious Service 
Medal. 

Dr. Tether received his Bachelor’s of Electrical Engineering from Rensselaer Poly- 
technic Institute in 1964, and his Master of Science (1965) and Ph.D. (1969) in Elec- 
trical Engineering from Stanford University. 


Discussion 

Chairman Boehlert. Thank you very much. Thank all of you. 
Which one of you is the lead agency in cyber security? Tell me 
what that means being the lead agency. 

Dr. Colwell. As the lead agency in cyber security, we, particu- 
larly in the area of research, work together with the other agencies 
to coordinate the focus of the research and to ensure that there is 
integration of the research effort, non-duplication, and there is en- 
hancement in access, particularly the role of NSF, access to out- 
standing science to the other agencies. And we 

Chairman Boehlert. So that is sort of an interagency coordi- 
nating committee? Is that 

Dr. Colwell. Yes, we have a working group, the NITRD Work- 
ing Group, the Networking and Information Working Group that is 
chaired by Peter Freeman. We also have another — we have other 
information technology coordinating groups, and we work together 
in ensuring that we know what the other is doing, particularly 
strong with NIST, because NIST acts as the standards 

Chairman Boehlert. But am I — are we to assume that your co- 
ordinating group, for example, as Dr. Tether pointed out to us that 
increasingly a higher percentage of their work is in a classified 
arena, do we assume that all of the members of the coordinating 
group or Working Group have the necessary security clearance in 
order to deal in the responsible way that that work that DARPA 
is doing and — in the black area and that you can factor that in as 
you determine the direction you are going 

Dr. Colwell. Yes. 

Chairman Boehlert [continuing]. For the government? 
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Dr. Colwell. Yes, as a matter of fact, that is the case. And we 
have detailed to Dr. McQueary’s — an NSF individual, who has been 
cleared and who is working to connect to agencies and to provide, 
initially, the capability for cyber security within Homeland Secu- 
rity. 

Chairman Boehlert. Well, I hope you all can comfort me and 
the Members of the Committee, so if you know the answer, I would 
like, but I am not sure it is the answer that you can feel com- 
fortable in giving me. But are each of you convinced that in your 
agency and within the government we are giving sufficient priority 
to the needs of cyber security? We will start with you, Dr. 
McQueary. 

Dr. McQueary. If you ask are we giving sufficient priority, today 
the answer is probably no, but I do believe that we have a plan in 
place to be implemented quickly that will put the proper emphasis 
on it. And that major emphasis from a Department of Homeland 
Security standpoint, will come from the Information Analysis and 
Infrastructure Protection Directorate, and the Science and Tech- 
nology Directorate will be actively working with them to — from the 
scientific and technological aspect of it. 

Chairman Boehlert. Dr. Colwell, I think you have already real- 
ly answered that question. 

Dr. Colwell. Yes. I would say that I agree with Dr. McQueary. 
We — as a Nation, we are not focusing sufficiently on this very real 
threat. I have just come back last night from a meeting in London 
of the science — my counterparts in the science agencies. It is an 
international problem. And we also need to understand that we are 
increasingly being cyber security attacked from outside the country 
as well as hackers within. And I think we are beginning to under- 
stand how serious this problem is that we haven’t really gotten to 
where we should be, in my opinion. 

Chairman Boehlert. Dr. Bement. 

Dr. Bement. This requires a very comprehensive approach. 
Through our work, we have worked not only with industry but aca- 
demia and also international bodies and also all of the federal 
interagency coordinating boards and councils to improve the infor- 
mation technology R&D working group, which up until recently 
was chaired by a person from NIST, Cita Furlani, who is now our 
CIO. We have a pretty good fix on where the vulnerabilities are. 
I think we have done enough workshops with industry and dif- 
ferent industrial sectors that we know where many of the 
vulnerabilities are in some of their control networks and in infor- 
mation systems. And you are right. This is going to require a much 
higher level of effort than we have currently engaged in, and it is 
going to have to come fairly soon if we are going to meet some of 
the vulnerabilities that currently exist. 

Chairman Boehlert. Dr. Tether. 

Dr. Tether. Given that we are idea oriented and project ori- 
ented, I — we are not lacking for funds. We are, perhaps, lacking for 
ideas. And what you see happening right now is — and one of the 
reasons why the budget is coming down is that current programs 
are ending very successfully. But on the other hand, we don’t really 
have the number of ideas in this area to solve the problem that the 
DOD faces. I have funded every idea that has come forth in this 
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area over the last year, including building the infrastructure to 
allow people to have a test bed and a lot of other things. So we are 
more idea limited right now than we are funding limited. Now that 
is why we spent a lot of time dealing — collaborating with organiza- 
tions like NIST and NSF, and we will with Chuck as soon as we 
figure out where — what his address is. 

Chairman Boehlert. Well, in all fairness to DHS, I mean, they 
just stood up, what, 1 March, and they have got a monumental 
task, but 

Dr. Tether. But we will do that, and in fact, in this case, he has 
got quite a few DARPA people there, so the — you know, the rela- 
tionship between the two organizations is very good from the start. 
But we are constantly searching for ideas. And right now, this is 
a very tough problem. And from the DOD viewpoint, we can’t fail. 
I — see, we are not as concerned — we are not concerning ourselves, 
and that may be discomforting to you, on the commercial networks. 
Hopefully somebody is doing that. We believe our technology will 
apply, but if we don’t solve this problem of making these networks 
reliable and available through attacks, the whole military structure 
that we are building in the future is at stake. And so we really 
can’t fail in this area. And I hope that answers your question. 

Chairman Boehlert. Yeah, it does. And if I were to summarize, 
I would think I would summarize in this way, that you all feel that 
we are not giving sufficient priority now, but we are moving in that 
direction. And we need to give it the highest of priority. 

Dr. Tether. Oh, it has to be the highest priority. 

Chairman Boehlert. And I see all heads nodding yes, for the 
record. Thank you very much. My time is expired. Mr. Miller. 

Mr. Miller. Thank you. Dr. McQueary, the realization that you 
were no longer my constituent diminishes only slightly the pride 
that I feel that you were in — being in the position that you are in. 
And I know that the people in Greensboro feel a great deal of pride 
as well. 

Dr. McQueary. Thank you. 

Mr. Miller. And your resume does seem to be exactly what we 
need for your position. You have the technical expertise, and you 
supervise people with similar expertise. But I am wondering to 
whom you speak within the Executive Branch. When you are pre- 
paring a budget, who do you present it to at OMB? What is their 
background? What is their level of expertise? What is the highest 
level person in OMB who really deals only with cyber security? 

Dr. McQueary. I don’t know — personally know the answer to 
that question because I haven’t engaged anyone in a discussion di- 
rectly in that area. I am sure I have got someone behind me who 
can answer the questions. If you would like me to ask them, I 
would be happy to do so. 

Mr. Miller. Okay. 

Dr. McQueary. I am told Steve McMillin is the name of the indi- 
vidual that we deal with, and he, of course, works for Mark 
Forman in OMB. 

Mr. Miller. And do you know what Mr. McMillin’s title is? 

Dr. McQueary. No, I don’t. He has the homeland security re- 
sponsibility and R&D, I am told. 
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Mr. Miller. Okay. I think it was just in April that Richard 
Clarke, who had been at the White House and involved in cyber 
security, said that the answer to the question who is the highest 
ranking person at OMB who works just on cyber security was pret- 
ty frightening. Is that still the case? Is it still a fairly low-level per- 
son or is it something that does get attention at what appears to 
be the appropriate levels of OMB with someone with that exper- 
tise? 

Dr. McQueary. I do not know the answer to the question, sir. 

Mr. Miller. Okay. A second question, it certainly appears that 
if — in — within the private sector that if one industry’s, one com- 
pany’s cyber security was insufficient, if it suffered an attack, there 
would likely be a ripple of economic loss, a disruption to others that 
that business deals with. Is that generally correct? 

Dr. McQueary. I would say that would certainly gain a lot of at- 
tention. And I think — if I could just inject, I think it is very impor- 
tant that private industry play a key role in this whole issue of 
cyber security, because it would be — since some 85 percent of the 
industry is privately — what we have in this infrastructure in the 
country is privately held and therefore private industry has to have 
a strong interest in helping determine what kind of cyber security 
protection we must have. In fact, any CEO of a company has a re- 
sponsibility to his or her shareholders to be concerned about such 
an issue would be my view. 

Mr. Miller. Okay. Or a little concerned not just about their — 
maybe to their shareholders, because their duty to their share- 
holders is just to be profitable, but the duty to the people with 
whom they do business. I know that the Administration’s — or I un- 
derstand the Administration’s approach has been not to require by 
regulation cyber security standards but that the Department pro- 
mulgates best practices and methodologies 

Dr. McQueary. Um-hum. 

Mr. Miller [continuing]. And that that would be advice — encour- 
agement to the private sector to adopt the appropriate level of pre- 
cautions. Is that generally the approach, not require by regulation 
but promulgate best practices and methodologies? 

Dr. McQueary. If you would let me defer that question to one 
of my peers, who are more knowledgeable about it, I would cer- 
tainly appreciate it, because I simply have not engaged myself in 
the short time I have been in this job and the subject to be able 
to speak adequately to it. 

Mr. Miller. Does anyone on the panel — yes, sir. 

Dr. Bement. We regularly hold workshops with industry to try 
to understand their vulnerabilities. In fact, it has been major ac- 
tivities of ours over the last two or three years since 9/11. And in 
addressing that, we had been working with the standard develop- 
ment organizations to not only develop standards but also we have 
been working to develop prototypes to understand better what 
those vulnerabilities are along with test beds. In order to accelerate 
standards developments, we are working with the Department of 
Homeland Security. We have detailed one of our senior scientists, 
who heads up the standards activities within Dr. McQueary’s orga- 
nization. And we have also detailed another person, who is an ex- 
pert in cyber security. And in addition to that, we have one of our 
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senior people working with ANSI in what is now called the Home- 
land Security Standards Panel, which is working with the standard 
development organizations to try and fast track new standards to 
bring new products in the marketplace that will meet the reli- 
ability and the security requirements that will meet the needs of 
industry in this area. So it is almost a full court press at the 
present time. 

Chairman Boehlert. All right. The gentleman’s time has ex- 
pired. I know he has, as we all do, more questions. So we will have 
a second round of questioning. We will go now to the distinguished 
Chairman of the Subcommittee on Research, Mr. Smith of Michi- 
gan. 

Mr. Smith of Michigan. Thanks for an exceptional, qualified 
panel to help us decide where we should go on encouraging the di- 
rections that we think we should go to protect ourselves. It seems 
to me — help me understand a little bit in terms of the technology. 
It would seem like it is almost a weapon system. If you develop a 
better weapon system and then the other side develops a better 
weapon system, and it keeps building up from firewalls to miti- 
gating attacks to how to operate even if the attacks are there, like 
you suggested, Dr. Tether. But following up a little bit on Mr. Bell’s 
comment and Dr. McQueary’s suggestion that, look, the private sec- 
tor on how we use computers and software to decide how our food 
is going to be shipped where so it gets where it belongs to how we 
transmit electricity to how we run our airlines, how do you decide 
the balance, Dr. Tether, in protecting the kind of classified research 
that is going to enable our Defense Department to communicate 
and do things without intervention with the need to use some of 
that research in the private sector? 

Dr. Tether. Well, we have a — logistics is a good example of what 
you are talking about, which is very close to — you know, most of 
the Department of Defense is moving supplies. And there is a logis- 
tics organization called Transcom, which happens to be located in 
Illinois. We are developing for them a technique which will allow 
them to basically be able to go into the distributed databases to 
find out where supplies are and then create all of the transpor- 
tation required to get those supplies to the place they are needed. 
And we are concerned about, once you have distributed databases, 
of somebody getting into that distributed database and not — either 
not allowing you to do it or changing the data. So it is a very cru- 
cial thing for the Department of Defense to have this be secure and 
assured. 

Mr. Smith of Michigan. But still, my — both my points, the more 
that you accommodate the need to protect in the private sector, the 
more vulnerable you are to discovering some of the vulnerabilities 
of that system after you — because it is more available. 

Dr. Tether. That is correct. And in this particular case, the tech- 
nology that is being used is what we happen to call “intelligent 
agents”. These are little software modules that effectively — think of 
it as a — really as an agent that goes out and looks for you and 
brings you back answers. 

Now this is working very well. We have made it very secure. We 
have shown that — doing it this way, that we can, with high con- 
fidence, know that the data is not being corrupted, and that the 
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system can operate through an attack. The details of how we do it, 
in the military, are classified. However, the technology of intel- 
ligent agents, distributed intelligent agents working together to do 
this, is unclassified. And again, we are developing this technology 
with a company. And this company sees a business in it, not only 
for supplying the military with this capability, but also supplying 
private industry. Ford Motor Company has the same problem. I 
mean, they buy parts all around the world, and they basically have 
a logistics problem. How do they get parts here and there? And 
they are very interested in making sure that their databases are 
secure and that somebody doesn’t get in. 

So here is a company that will take the technology that was de- 
veloped by the military, which will remain classified in the terms — 
in the context of the details, but is able to use that technology for 
a commercial application. I hope I am answering your question. 

Mr. Smith of Michigan. Yeah, you are, certainly. 

Dr. Tether. Okay. 

Mr. Smith of Michigan. My next question, Dr. Colwell. Anyway, 
good to see you. In terms of virtual centers compared to bricks and 
mortar centers, in our — in this Act, in our Cyber Security Research 
and Development Act, we put in language that would be directing 
the National Science Foundation to develop physical centers. And 
we put in similar language, so it is a two-fold question in the area 
of interest that I have expressed many times, is the biological cen- 
ters that we asked for in our NSF authorization bill. And it seems 
in both cases you have tended to lean toward virtual centers rather 
than following what I consider the intent of both bills in terms of 
developing real centers. 

Dr. Colwell. Actually, we have physical sites that are con- 
nected. The approach that we take, and we feel is very powerful, 
is to bring the versatility and the diversity of capability that is lo- 
cated in different parts of a given region and to link them, even 
though they represent physical sites, to link them by the capacity 
of a cyber infrastructure. That means that you have, for example, 
the — at — in Missouri, Indiana, Illinois, and Washington State, you 
have different capabilities, but when brought together, it becomes 
a very powerful approach to addressing sequencing and getting it 
done rapidly and effectively. And I think similarly, what we are 
trying to do here, and actually it is in response, I think, to an inter- 
est of the Chairman, is to bring together, as fast as we can, the 
capability that is there, strengthen it, and at the same time, deter- 
mine how we build further capacity through specific programs. 

And I would like to address the comment about ideas. NSF is fo- 
cusing research on embedded systems, like those that are used to 
control the Nation’s power grids. And we are also looking at the 
interplay between the human and the computer to better under- 
stand human behavior and the use of computers and then future 
generations of systems that would be beyond the currently used 
systems. And I must tell you that there is an enormous interest in 
the community, because we have many, many more proposals than 
we can possibly fund. And these are good ideas. These are very 
good ideas, and they need to be pursued. 

And then one very brief sideline, Congressman Smith, because I 
know of your interest in this, the British are very — how should I 
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say? They are understanding that they have got to get beyond this 
genetically modified food situation, and they are pushing really 
hard to get the acceptance 

Mr. Smith of Michigan. I think you might be talking to the sci- 
entists rather than the traders. 

Dr. Colwell. These were folks that 

Mr. Smith of Michigan. Oh, these are policy issues. 

Dr. Colwell [continuing]. Are policy folks. These are policy 
folks. 

Mr. Smith of Michigan. Mr. Chairman, thank you. But you 
know, both in the centers that we call for and the computer net- 
work security research centers in this cyber security bill, the ad- 
vantages of the interdisciplinary individuals being able to talk to 
each other and feel each other out seems to me that it has a great 
advantage over virtual centers where you are simply putting out 
grants. And I yield back my time. 

Chairman Boehlert. The gentleman’s time is expired. Mr. 
Davis. 

Mr. Davis. I yield two minutes of my time to Mr. Miller. 

Chairman Boehlert. Mr. Miller is recognized for two minutes. 

Mr. Miller. Thank you, Mr. Davis. Dr. Bement, just a couple 
more questions. Essentially, the same question I asked of Dr. 
McQueary, has there been an assessment within the private sector 
of whether vulnerability to one entity within the private sector 
does have ripple effects if it causes — obviously it can cause, as Dr. 
McQueary points out, huge economic disruption and vulnerability 
to that entity. But does 

Dr. Bement. Yes. 

Mr. Miller [continuing]. It have a ripple effect? Does it cause — 
is there — would there be an expectation when this assessment of 
what effect it may have on others and — in — within the private sec- 
tor? 

Dr. Bement. Yes, there have been those vulnerability assess- 
ments, and let me just cite three examples. All of you know what 
the impact was of the strike out on the West Coast and how that 
tied up supply chains throughout the country and how that rippled 
through our economy. So our transportation systems are all inter- 
connected and all — interconnected in terms of their vulnerabilities, 
and that would be a major backup. Also, with regard to our manu- 
facturing enterprises because there is a supply chain linkage. And 
many of these enterprises are global in nature and depend on, 
again, the global supply of parts and so forth. Any disruption, espe- 
cially across our borders, and especially in the Great Lakes Area 
with Canada and south with Mexico, that would also have a ripple 
effect as far as our whole logistics trains throughout the supply 
chain. 

The other part that I would also cite is the vulnerability of our 
electric power grid. I might mention parenthetically that before I 
came to NIST, I was at Purdue University and using intelligent 
agents in a project co-sponsored by the Department of Defense to 
use intelligent agents to come up with more robust control systems 
to deal with upset conditions in our electric power grid. But that 
would also have a ripple effect, because the loss of a shunt or the 
loss of a major element, critical element in the electric power grid 
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could, of course, be propagated across the country. So that would 
have major implications. And one of the vulnerable components 
there is the Supervisory Control and Data Acquisition System, or 
the SCADA control system, which do have to be made secure. And 
NIST has been working with the industry. We have been giving 
grants in this area to figure out how we can deal with the security 
aspects of information flows that control these SCADA control net- 
works, some of which now operate on the Internet. So you know, 
this is a new development in recent years using the Internet to 
control operations across the country. 

Chairman Boehlert. The gentleman’s time has expired. Mr. 
Davis, you can reclaim your time, but just let me observe that what 
George Carlin might refer to as the stuff of comic book lore is now 
a reality. I mean, we have to redefine what war is. It is very pos- 
sible that the next war would not be fought with guns and bullets 
but with computers and — from afar. They don’t even have to leave 
their point of origin. A nation could effectively wage war on an- 
other nation. That might not be as devastating in terms of loss of 
life, obviously, but the losses would be just monumental. And it is 
the — that is why, I mean, this committee is so concerned about 
cyber security and we are so avid in our pursuit of attention for 
this subject and trying to get people to realize what you have all 
acknowledged. But too many people are much too casual about it. 

Mr. Davis. 

Mr. Davis. Mr. Chairman, thank you. And I do reclaim the re- 
mainder of my time. I have basically one question. It will have a 
two-part to it. Many of the questions I have would have been asked 
and perhaps would have been asked by many, such as Mr. Miller 
and others, but the President, our Administration basically has de- 
scribed our national strategy for — to secure cyberspace is through 
the Office of Science and Technology Policy, which is referred to as 
OSTP, which basically will be coordinating, supposedly, and every 
year will be — each of your entities will be coordinating, bringing to- 
gether information starting with fiscal year 2004. As I hear each 
of you giving testimony, Dr. McQueary and Dr. Tether basically 
mentioned the INFOSEC Research Council. Dr. Colwell, you made 
reference to the network and — Networking and Information Tech- 
nology Research Development Interagency Working Groups. Now 
as I listened to each of those, I assume that perhaps each one that 
is providing research development is somewhere assimilating the 
information and then you get together with someone as you discuss 
what you are doing, what your research and development is pro- 
viding. Are you finding working with the Office of Science and 
Technology Policy is — are you able to effectively work there? Are 
you coordinating your information together or do you find that you 
are basically out on your own on an island? 

Dr. Colwell. No, we are coordinating. In fact, we have had dis- 
cussions, particularly on computing research, and especially effec- 
tive is the — putting together the budget requests, making sure that 
it is coordinated, because the — I mean, I can not speak for the 
Science — the Director of OSTP except for my interactions and say 
that this is a major interest and concern of OSTP and making sure 
that all of the agencies are doing a coordinated effort toward solv- 
ing the problem. Yes, I see that happening. 
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Mr. Davis. And that is happening, and you are happy with the 
coordination of it and with getting results? 

Dr. Colwell. Well, I have to, again, just as we all four of us 
have said, that even though we had a Cyber Trust program started 
September 6, before 9/11, and have gone — our work goes back to 
1978, it is only in the last — I would say the last year or so that 
this intensive understanding of the disasters that hacking into sys- 
tems creates that we now are putting a very strong attention to 
this. 

Mr. Davis. Is there a plan in place, step-by-step how this is going 
to happen? And are you also working with private industry to gath- 
er information? 

Dr. Colwell. Yeah, the — we are developing a plan, and I think 
probably Dr. Bement can speak more conversantly with private in- 
dustry, but we, too, work with industry in our centers, our science 
and technology centers, our engineering research centers, and cer- 
tainly in developing a center approach for cyber security. 

Mr. Davis. So there is not a plan currently step-by-step that is 
being developed? 

Dr. Colwell. Being developed. 

Mr. Davis. I certainly hope it occurs pretty quickly. Dr. Bement. 

Dr. Bement. Of course, one of NIST’s responsibilities is look — is 
to look after the security of our federal agencies as far as sensitive 
information flows. And that work is coordinated through any num- 
ber of councils: the CIO Council, the PITAC, the PCAST, the 
INFOSEC Research Council that has been mentioned. There is a 
federal security program managers’ forum. And we take that infor- 
mation and we pull it together to develop our program and to es- 
tablish our priorities. But within each one of these bodies, there 
are plans that, in many cases, tie back to the Office of Management 
and Budget, which links to the President’s cyber security plan, so 
that — there has been a lot of planning being done. We are doing 
a lot within NIST. We are doing a lot of it interactively with the 
organizations that are represented here along with NSA and other 
agencies. And we look pretty much to OSTP for the coordination of 
the research and development program within the federal agencies 
through their information technology R&D working group. 

Dr. Colwell. I would like to, if I may, provide a reassurance in 
the fact that what you don’t see, what isn’t obvious, is that there 
is strong collaboration and cooperation. As I have said earlier, we 
have detailed one of our very good people to Homeland Security to 
help get that started up. We have been working with the intel- 
ligence agencies, the Defense agency and DARPA and with our sci- 
entist panels inviting scientists from those agencies to sit in on the 
NSF panels. And then where there is interest in the research that 
is being proposed and discussed, they can add funds to it and make 
sure that it gets enhanced. So we are doing quite a lot of what 
would be not openly and clearly visible. But there is a great deal 
of interaction. 

Mr. Davis. What my hope would be, obviously, is that each dif- 
ferent entity that is doing research and development would be able 
to follow a plan that would provide the information. And I am not 
sure that — I don’t sense that that is happening today, so my hopes 
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are that from this hearing that there will be efforts to encourage 
such action to be taken. 

Chairman Boehlert. The gentleman’s time is expired. The 
Chair recognizes the distinguished Chairman of the Subcommittee 
on Environment, Technology and Standards, Dr. Ehlers. 

Mr. Ehlers. Thank you. Mr. Chairman. First of all, I have been 
struck with all of the work that is going on in cyber security, and 
it sounds like very good work, what we may call “cyber defense 
against enemies foreign and domestic.” Dr. Tether, what do you 
have going on in the what you might call “cyber offense,” in other 
words cyber warfare? What — do you have programs within Defense 

dealing with how you would attack enemies 

Dr. Tether. Yes, we do. And unfortunately, I probably can’t say 
much more than yes we do. 

Mr. Ehlers. All right. 

Dr. Tether. But I would be happy to come and tell you about 

it, I just 

Mr. Ehlers. Yeah. I 

Dr. Tether [continuing]. Can’t here. It is 

Mr. Ehlers. There may be several of us who would like to do 
that at some point. 

Dr. Tether. Okay. That would be fine. 

Mr. Ehlers. I also was struck by, and I am paraphrasing what 
you said, I hope correctly, that Dr. Tether, that you said you are 
looking for a lot of good ideas that you can try and implement. Dr. 
Colwell, you were saying you have a lot of ideas but no money to 
do it. I would suggest the two of you get together afterwards. 

Dr. Tether. Well, we do. In fact, as Dr. Colwell said, there is an 

enormous amount of collaboration going on 

Mr. Ehlers. Right. 

Dr. Tether [continuing]. At the — what I would — we would call at 
DARPA the Program Manager level. In fact, when this hearing was 
called, I asked, I said, “How much” — “What is going on between us 
and NSF?” And I was amazed at how much was going on that I 
didn’t know about. 

Mr. Ehlers. I realize that. Dr. Bement. 

Dr. Bement. Yes. 

Mr. Ehlers. First of all, I commend you for your efforts to try 

to speed up the standards process for the 

Dr. Bement. Thank you, sir. 

Mr. Ehlers [continuing]. Information technology. That is abso- 
lutely essential, because they are very frustrated and ready to set 
up their own informal standards organization. So I encourage you 

to pursue that diligently. I appreciate 

Dr. Bement. I will. 

Mr. Ehlers [continuing]. What you have done. First question is 
on a type of cyber security we haven’t discussed here at all and 
that is voting security. 

Dr. Bement. Yes. 

Mr. Ehlers. I am very, very concerned about that, because I 
think that is essential to the proper functioning of a democracy. 
And we passed a bill last year, which provided money for local gov- 
ernments to buy new equipment. At my insistence, responsibility 
was given for you to establish standards for these. And I am very 
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concerned. States and localities are already going out and buying 
equipment and — without an assurance of security. And I just cov- 
ered in my conversations with elected — pardon me, election offi- 
cials, who are very, very knowledgeable about the process, but 
many are not knowledgeable about cyber security. They just don’t 
realize the pitfalls, and it is possible for a good hacker to basically 
steal an election without anyone even knowing about it the way 
some of the voting machines are constructed. So what is the 
progress on setting up the commission, setting up the standards, 
and so forth? 

Dr. Bement. First of all, I agree, entirely, with your assessment. 
We have looked into this matter. We have research going on, and 
we have dealt with many vendors in trying to understand their sys- 
tems. Unfortunately, much of the information is proprietary, and 
we almost have to reverse engineer to understand them completely. 
But with regard to electronic voting machines, the interface be- 
tween the software and the hardware leaves plenty of room for 
cyber attack, for fraud, for lack of trust. We talked about trust ear- 
lier. And this is an area where we have to be very active in stand- 
ards, and we feel this needs to be attended to, and we need to put 
much more effort behind it. 

Mr. Ehlers. I urge you to pursue that very, very aggressively, 
because it is a major problem, and the public is simply not aware 
of it. 

Dr. Bement. It has high priority, as far as I am concerned. 

Mr. Ehlers. And if you need greater legislative authority to ob- 
tain proprietary information, that is something we should talk 
about as well, because I 

Dr. Bement. Well, I think we have the authority. I think we 
have some understanding, not complete understanding of what 
needs to be done. We just have to go out and get it done. 

Mr. Ehlers. I appreciate that. The — also, another area within 
NIST, you have talked a lot about your activities of various sorts, 
but to what extent are you involving the higher education commu- 
nity? And I am talking about two ways: one is through supporting 
research there, but secondly through training of students. And I 
was astounded to discover recently that the number of math and 
science — pardon me, math and computer science majors graduating 
from undergraduate institutions today is less than it was approxi- 
mately 15 years ago. And in fact, there was — it has dropped. It is 
starting to come back, but we are still not up where we were. 
Clearly, there is a real need for training of these people, and I am 
amazed. I just met someone in the airport the other day from my 
home state at a higher educational institution, a very prominent 
person in information technology, who was — degree was in master 
of divinity, and that shows maybe you need that to operate a com- 
puter properly. I have always wondered if there are any strange 
spirits inside of my computer. But it shows the extent to which we 
are recruiting from people who have not been trained 

Dr. Bement. Yes. 

Mr. Ehlers [continuing]. In this field. 

Dr. Bement. Clearly, the Committee has recognized one of the 
key issues, and that is a need for more education and training. And 
that is one of our biggest vulnerabilities. It is not just that we don’t 
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have the policies and the procedures and the specifications; we 
don’t have the trained personnel to manage the systems. And it is 
in this regard that we look to the National Science Foundation to 
do the manpower training, which we, of course, want to work with 
them on. But beyond that, in our post-doctorate program at NIST, 
which is managed through the National Research Council, we are 
trying to pull in more expertise at the post-doctorate level working 
at NIST in cyber security so that we can leverage some of our ongo- 
ing activities and so we can identify some of the new talent coming 
out of the universities who eventually, hopefully, will join our re- 
search staff. 

Also, in linking up with the research community, I did mention 
that we did have $5 million that did go out in research grants to 
universities. We follow that quite actively. We have worked with 
Dartmouth in their program and helping them roadmap or at least 
reviewing their road map for cyber security research and develop- 
ment. We have similar interactions with other universities, but I 
think the most exciting opportunity is in the Cyber Research and 
Development Act. By coupling industry with academia and bring- 
ing an understanding of the needs and the technical insights, 
which industry can bring with the scientific insights, which aca- 
demic researchers can bring to the table, and then finding ways to 
developing prototypes, standards, and test beds to try and reduce 
the lead time of getting new technologies and new approaches to 
cyber security into the marketplace in the earliest time possible. 

Chairman Boehlert. The gentleman’s time is expired. Ms. Wool- 
sey. 

Ms. Woolsey. Thank you, Mr. Chairman. Dr. Colwell, it is nice 
to see you, gentlemen. Thank you for knowing so much. Mr. Chair- 
man, I have a letter here from the Information Security and Pri- 
vacy Advisory Board, which is a board established and funded by 
the Science Committee, the Computer Security Act of 1987. And it 
is responding to the President’s report, which is huge, that was 
dated February 2003. And the very final statement, I am not — of 
course I want to enter this into the record and ask unanimous con- 
sent to do that, but 

Chairman Boehlert. Without objection. 

[NOTE:The information referred to appears in Appendix 2: Addi- 
tional Material for the Record.] 

Ms. Woolsey [continuing]. The last statement in the letter re- 
garding the reports, “Additionally, the strategy minimally acknowl- 
edges the critical issues of information and citizen privacy and fails 
to provide specific actions or recommendation. The Board believes 
this must be addressed as well.” And so my question to you is are 
we addressing — I know nothing will be perfect, but are we address- 
ing the tradeoff between privacy and confidentiality and the need 
for security? 

Dr. Bement. Well, let me respond to that. That particular board 
is funded by DARPA and is advisory to me — I am sorry, by NIST 
and is advisory to me as the Director of NIST. So we support the 
board and its activities. And of course, we do take their rec- 
ommendations very seriously, and those eventually become prior- 
ities in our program. Recently, we have, through our interactions 
with the National Science Foundation and with the Department of 
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Homeland Security, invited them to become much more active in 
the workings of the board. And the board will be meeting, I think, 
in June. The board will be meeting in June, and we will certainly 
be discussing their recommendations again at that time. 

Dr. Colwell. But I would also like to add that we plan to pro- 
vide more funding to make sure we understand the interplay be- 
tween policy and technology and human behavior and technology 
and the need for privacy in developing a cyber secure system. So 
we intend to do a lot more research in that area as well. 

Ms. Woolsey. And balancing the privacy piece with the security 
piece. 

Dr. Colwell. Yeah. 

Ms. Woolsey. I am sure that this has been answered, but for 
some reason I can’t wrap my mind around — my intellect around 
some of the technical conversation we have had here, so what I 
would like to do is ask you in down-to-earth questions — words a 
couple of things. Do we have adequate tools to — in place? Are we 
putting — getting ready with — for that, and if not, why not? What 
is holding us up? And is there a way to spread the costs of these 
developments among other — many agencies or private industry as 
well? Rita. 

Dr. Colwell. The answer is yes in that we are beginning to put 
together what really is needed, and that is a concerted, coordi- 
nated, and as a result of the Act that was passed, a focus on the 
need for cyber security. We do have components of it in place, and 
we are coordinating it. But we believe, at NSF, that there is a lot 
more research to be done, and what we are trying to do is balance 
the research that is needed to advance computer architecture and 
software development, et cetera, with this very pressing need for 
the security of the systems. So you can’t really pull money out of 
the research to make better systems, because that is part of the 
problem, but at the same time, you can’t neglect the security as- 
pects of it. So this is a real — at this particular transition stage, this 
is a very difficult push and pull. 

Dr. Bement. I would answer slightly differently. Clearly, there 
is a research agenda, and there is a technology agenda, but in our 
assessments, we find that the greatest vulnerabilities are not nec- 
essarily technical vulnerabilities. They are primarily an ill-edu- 
cated user population, lack of adequate cyber security research ex- 
pertise, poorly designed systems and software, specific 
vulnerabilities in commercial IT products, and new technologies 
that are coming into the marketplace with inadequate testing at 
the design and manufacturing stages. So a lot of what is missing 
is knowledge, education, and discipline in the system. 

Dr. Colwell. Could I add another comment, please, and that is 
to point out that what we are finding in our discussions with the 
community is that we really have to include in all of the informa- 
tion technology and computer science training an understanding of 
cyber security and understanding of the need for secure systems 
and that just having an undergraduate and graduate program on 
security isn’t enough. It has got to go across all of the training, just 
as Dr. Bement has pointed out, in order for people to understand 
what it entails and how to address it. 

Ms. Woolsey. I will 
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Chairman Boehlert. The gentlelady’s time — well, all right, one 
more. 

Ms. Woolsey. Dr. Bement, you did say, though, we know what 
needs to be done, I am paraphrasing you, it’s just doing it. What 
is stopping us? 

Dr. Bement. Nothing is stopping us. Of course 

Ms. Woolsey. Is it time? 

Dr. Bement [continuing]. Resources — we could accelerate if we 
had more resources, but a lot of it 

Ms. Woolsey. Resources. Well, that is stopping. That is an an- 
swer. 

Dr. Bement. A lot of it is in the private sector. A lot of it re- 
quires better protocols, better metrics, better standards. We are 
working with the standard development organizations in this area. 
It will take time. It is comprehensive. Resources will help. 

Chairman Boehlert. You know — thank you. The gentlelady’s 
time is expired. Dr. Tether pointed out a, I think, very appropriate 
observation that DARPA is sort of idea limited. And that is one of 
the reasons why, in the cyber bill, we put in all of those programs 
for students and to get researchers to change fields. Shouldn’t 
funding for those programs be a top priority? And will NSF and 
NIST ask for funding for those programs in ’05? 

Dr. Colwell. I can respond, sir, and say that we are going to 
be very aggressive in our request for the area of research in ’05. 

Chairman Boehlert. Dr. Bement. 

Dr. Bement. I would respond likewise. We are taking it seri- 
ously. We have discussed it with the Technology Administration. 
We are still early in our ’05 planning, but we are giving this very 
high priority. 

Chairman Boehlert. Thank you very much. The Chair now rec- 
ognizes Mr. Smith of Texas. 

Mr. Smith of Texas. Thank you, Mr. Chairman. First of all, Mr. 
Chairman, let me say to you that I am sorry that I missed most 
of the hearing today. Unfortunately, I am a Member of the Judici- 
ary Committee, which has been marking up some legislation down- 
stairs, and so I have had to be there for recorded votes. In fact, 
there is one going on now, so I will have to be brief in my ques- 
tions. 

Nonetheless, I did want to ask Dr. Colwell and Dr. McQueary to 
respond to a question that I have. And this question basically 
comes from a book that I read this last weekend, and I don’t know 
if you all are familiar with it or not. It is called “Tangled Web.” 
And this is a book that makes a compelling case that both the pri- 
vate sector and the Federal Government are not prepared to deal 
with the cyber attack today. And furthermore, Mr. Chairman, just 
because I am a Member of a relevant Subcommittee, and in the 
briefings that we have had, we had been told that there is at least 
a 50/50 chance that any kind of terrorist attack that might occur 
in the future will involve some aspect of cyberterrorism, either 
wholly or in part. Given the nature of that present and future 
threat, my question, really for the two witnesses, is do you feel that 
the Federal Government today is able to adequately respond to a 
cyber attack? It is my impression from, as I say, reading this book 
“Tangled Web” that we are, today, not capable of responding to a 
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terrorist attack and stopping it from costing American lives or per- 
haps disrupting the economy. But I would be interested in your 
perspectives. 

Dr. Colwell. Do you care to start and then I will add? 

Dr. McQueary. Certainly. We do have the NTAC [National 
Threat Assessment Center] and the Carnegie Mellon — the capa- 
bility to respond if we do see a cyber attack. If — one could postulate 
attacks that we could not respond to, I suppose, effectively, but cer- 
tainly there is a wide variety I think have been demonstrated in 
the past of capability to respond to any — — 

Mr. Smith of Texas. You feel comfortable with our ability today 
to not be the victim of a cyber attack? 

Dr. McQueary. I did not attempt to say that. What I was trying 
to say was that there are many kinds of attacks that we could re- 
spond to. In order to say that we couldn’t respond to it, one would 
have to know what kind of attack 

Mr. Smith of Texas. What kind of attacks are we not able to re- 
spond to? 

Dr. McQueary. I don’t know the answer to that, sir, off the top 
of my head. 

Mr. Smith of Texas. How can you know what we can respond 
to if 

Dr. McQueary. Well, because we have done this in the past 
through this — the NTAC and the — at the Carnegie Mellon Group, 
because we have demonstrated 

Mr. Smith of Texas. Right. 

Dr. McQueary [continuing]. That in the past, and therefore by 
definition, we see that we have been able to respond to things that 
we have seen in the past. 

Mr. Smith of Texas. Dr. Colwell, do you agree with that? 

Dr. Colwell. I think that we have done research that has al- 
lowed us to build firewalls. And I think for the most part, the fire- 
walls that protect sets of data and sets of operations are, on a daily 
basis, effective. Obviously, there are opportunities for attack that 
could be devastating. And it is hard to predict exactly what they 
would be, but I do feel somewhat assured by the — yesterday, the 
Seattle, I think it was in Seattle, there was a mock attack, which 
included cyber, as well, as the direct attack with chemical and bio- 
logical weaponry. But I think that is important, because it shows 
that this is a multi-dimensional 

Mr. Smith of Texas. Right. 

Dr. Colwell [continuing]. Terrorist — potential terrorist problem. 
And cyber security is a component of it. And I think we are well 
aware of that now. And awareness is the beginning of protection. 

Mr. Smith of Texas. And certainly awareness is the first step. 
You have both said that you feel that we have protected ourselves 
against cyber attacks that have already occurred, but not nec- 
essarily — we are not necessarily able to protect ourselves against 
all conceivable cyber attacks, is that a fair statement? 

Dr. Colwell. Well, I — yeah. 

Mr. Smith of Texas. And I see Dr. Bement is shaking his head 
yes as well. 

Dr. Bement. Firewalls tend to be pretty ubiquitous, but, in many 
cases, they don’t contain all of the “four R’s”. And what I mean by 
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the “four R’s”, first of all, you have to recognize an attack. In many 
cases, you don’t recognize an attack through a firewall. Second, you 
have to resist it once you recognize it. Then you have to respond 
to it, and then you have to recover from it. And those are the four 
R’s. And 

Mr. Smith of Texas. That is exactly the point of this book that 
I referred to 

Dr. Bement. Right. 

Mr. Smith of Texas [continuing]. That firewalls are not suffi- 
cient, which is what you just said. 

Dr. Bement. And so I would say we have a long way to go, and 
with a determined cyber attacker, with the right kind of training, 
they would be able to defeat many of the systems we currently 
have. 

Mr. Smith of Texas. Okay. Thank you, Dr. Bement, for your — 
thank you, Mr. Chairman. I am finished. 

Chairman Boehlert. Mr. Smith, just let me tell you, you are 
right on in terms of focusing on an area we all have to focus on. 
And it was — our vulnerability. I recognize vulnerability that 
prompted this committee to try to provide some leadership, and 
that resulted in this Cyber Security Research and Development Act. 
And now what we are trying to do is make certain that all of the 
agencies for whom we have earmarked a lot of resources, insuffi- 
cient I might add, but we are trying our best, are working together, 
are coordinating their activities, and are taking the pledge here 
and now that this is a matter of high priority. And you have got 
to give this increasing attention. And that — you were not here ear- 
lier, they have assured us of that. Department of Homeland Secu- 
rity has just been up since — essentially since 1 March. Dr. 
McQueary is the new guy on the block, and it is just a mind-bog- 
gling challenge. I think he is up to the challenge, and I think we, 
collectively, are up to the challenge. But we better damn well get 
serious about this and not just talk but act. So thank you very 
much for those observations. 

Mr. Smith of Texas. Thank you, Mr. Chairman. Mr. Chairman, 
I might add, I think one of the reasons that Dr. McQueary is up 
to the challenge is because he has two degrees from the University 
of Texas. 

Dr. McQueary. You are very kind, sir. Thank you. 

Chairman Boehlert. The Chair now recognizes Mr. Bell. 

Mr. Bell. Thank you, Mr. Chairman. I apologize for missing 
your testimony. There is cyber security and there is Congressional 
District security, and since my district is currently under attack in 
the state of Texas, we decided we would go pay homage to our 
friends holed in Ardmore, Oklahoma. So that is why I wasn’t 
present, and I hope you understand. 

Dr. Tether, I wanted to visit with you for just a moment, because 
I found your remarks to be refreshing. I have only been here for 
four months, and I have had a bunch of people come and tell me 
that they have ideas but they don’t have money. You are the first 
I have heard that has plenty of money but a shortage of ideas. So 
it is a nice turnaround. But I wanted to — you — I understand your 
reluctance to talk about cyber warfare and what is being planned 
in that regard, but several months ago, there was a rather exten- 
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sive article in the Washington Post about some of the plans that 
were being undertaken by the Department of Defense, some of the 
studies that were being conducted. And I sort of subscribe to the 
theory if it has been in the Washington Post, it is going to be hard 
to keep it secret after that. And they talked about looking at ways 
to, perhaps, wipe out the entire electrical grid in the wake of war 
or while involved in war, looking at maybe shutting down hospitals 
that use cyber technology. My question is, knowing that those ef- 
forts are going forward, what is the collaboration between those 
who are looking at ways to attack and using it in an offensive posi- 
tion and those looking to defend, because it would seem to me that 
there should be a great deal of collaboration in those areas? 

Dr. Tether. Well, it — even though it appeared in the Washington 
Post, I still have a hard time confirming or denying the Washington 
Post. But let me tell you, one of the — there is a great collaboration 
that goes on between those who look at offensive things versus 
those who look at defensive things, because they are really two 
sides of the same coin. So the people who are doing the offensive 
parts, when they develop techniques, we then obviously build a de- 
fense against that technique. So the people — and vice versa. When 
people build a defensive technique, then the offensive people need 
to know about it in order to try to penetrate that technique. So 
there is a great amount of collaboration that goes on between those 
two communities. Let me say, at least within DARPA, some of the 
operational people would not have a collaboration because it is 
very, very sensitive, but in our research, there is a great collabora- 
tion between the two communities: those who are coming up with 
techniques to penetrate and those who are coming up with tech- 
niques to prevent people from penetrating. I really can’t give you 
any — I would be happy to give you all of the details, quite frankly, 
but I just can’t here. 

Mr. Bell. No, I understand. 

Dr. Tether. Yeah. 

Mr. Bell. And I don’t expect you to, and that wasn’t the point 
of the question. I am more interested in what kind of collaboration 
is taking place. 

Dr. Tether. There is a lot of collaboration in — between those two 
communities for those — for the reasons I gave. 

Mr. Bell. What is the general feeling as to where the United 
States stands right now in terms of cyber warfare? Are we behind 
in that area or are we ahead? 

Dr. Tether. I almost would have to go country by country, and 
I would rather not, for — again, for classification reasons. I 

Mr. Bell. But we are certainly not alone? 

Dr. Tether. Oh, no. No, we are most certainly not alone. We are 
most certainly not alone. And I think you can obviously — the obvi- 
ous large players like the — like Russia, China, you know, these are 
people who are taking this very seriously, very smart people. We 
are not alone. 

Mr. Bell. Thank you. 

Chairman Boehlert. Excuse me, if I may interrupt here. Some 
would argue they are taking it more seriously than we have been 
in the past, but now we have a new focus. 
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Mr. Bell. Well, taking this whole question of collaboration a step 
further, because, and I am — and I don’t want to put words in your 
mouth, but you were saying — I don’t know if you said you heard 
about some things today or recently that you didn’t know that were 
going on. And I would expect that. But this is an area where I 
would think that it is really incumbent upon those who are in- 
volved to be talking to each other. And are there steps that need 
to be taken to make that easier? 

Dr. Tether. Well, you know, when I said that, I was referring 
to the activity between DARPA and NSF. And what you learn, 
DARPA is really a Program Manager place, and there are 160 Pro- 
gram Managers. I don’t know how many Dr. Colwell has, but she 
has a few. 

And you would be amazed what goes on that the Directors don’t 
know of, each agency doesn’t know what is going on. So what I 
had — when this hearing came up, I put out a call to all my offices 
saying, “Why don’t you guys tell me what you are doing with 
NSF?” You know. “Go and find out what the program” — and I got 
a lot of activity. I mean, I have got an enormous amount of activity 
that I did not know about. And — but it is our Program Managers 
farming the ideas coming out of NSF so that they could bring them 
back and say, “Hey, look. Here is a great idea.” And this is — I am 
talking about cyber security type of activity now, not just in gen- 
eral. In general, there is a real large amount of activity, but — so 
they can come back with an idea, which what DARPA does is takes 
that idea. And we basically take it to the next step of applying it, 
you know, taking that idea into a technology that can be used. 

But there is a great deal of activity that has — that was going on 
that I — quite honestly, I was not really aware of. I kind of figured 
it was going on, but I didn’t know the specifics. And I was im- 
pressed. 

Chairman Boehlert. The gentleman’s time is expired. I am sort 
of surprised by that answer, a veteran like you. With Dr. 
McQueary, he is just in, the new guy on the block, and he knows 
what every one of those 180,000 people are doing within in the new 
Department of Homeland Security. 

Mr. Bell. But Dr. McQueary went to UT. 

Chairman Boehlert. Oh, boy. With that, Mr. Udall. 

Mr. Udall. Thank you, Mr. Chairman. I, too, want to thank the 
Chairman for calling this important oversight hearing today and 
thank him for his leadership on this whole area of cyber security. 
It is also — it is inspiring to see the all-stars out here on this panel, 
and thank you for your service to the country and for your great 
help and assistance you provide to the Committee. 

I want to ask two general questions, and Dr. McQueary, I will 
give you a heads-up on the second question, which I am going to 
ask you first. And your Directorate has requested about $800 mil- 
lion in this fiscal year of 2004. And I am just curious how that 
money would be allocated, particularly to cyber security. If you 
would, set that question aside and hopefully we will get to it. 

The second one — question was to yourself and Dr. Bement. And 
it is always great to see the NIST Director here. 

Dr. Bement. Thank you. 
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Mr. Udall. I know you have under — you have signed an MOU 
between DHS and NIST. 

Dr. Bement. Pending. 

Mr. Udall. Yeah, pending. Thanks for that correction. Can you 
provide me, the two of you, with your understanding of the activi- 
ties that would be carried out under the MOU and the respective 
roles of NIST and DHS? And I think most importantly for most — 
for all of us is will NIST have the resources to carry out the activi- 
ties envisioned in the MOU? 

Dr. Bement. The answer to the second question is yes; we will 
have the resources. The answer to the first question is that the 
MOU is very comprehensive. It includes technical support, research 
and development support, and standards support across the whole 
mission spectrum of the Science and Technology Directorate. Cyber 
security is clearly one of the keystone elements of that MOU, and 
it is one that we have already anticipated by putting one of our re- 
search staff with DHS in cyber security to begin coordinating that 
activity. 

Mr. Udall. Dr. McQueary, would you like to 

Dr. McQueary. I would be happy to. The — in the — as you cor- 
rectly point out, the fiscal year 2004 budget request is $803 million 
for the Science and Technology Directorate. Within that budget, we 
have $7 million that are specifically allocated toward cyber secu- 
rity-related activities. And I would like for you to keep in mind 
that the basis for that is that our role is one of supporting the In- 
formation Analysis and Infrastructure Protection Directorate with- 
in Homeland Security and providing Science and Technology sup- 
port to them in that. We are just barely operational. And of course 
the Critical Infrastructure Protection Board was in existence at a 
time when we actually constructed that budget. And therefore, if 
we were to find that the money we have, we conclude, is not ade- 
quate, I have no problem whatsoever in revisiting what the budget 
allocation is and looking for support from people like yourself for 
making such an evaluation. 

Mr. Udall. Mr. Chairman, if I might, I would like to yield to my 
colleague, Ms. Jackson Lee, for 30 seconds. She has to leave, but 
she wanted to make a brief statement. 

Ms. Jackson Lee. First of all, let me thank the Chairman for 
this very important hearing. I was in a markup in Judiciary, and 
now I have been called off to another meeting. Gentlemen, I would 
ask the Chairman to have permission to unanimously put into the 
record my statement, and I will 

Chairman Boehlert. Without objection. 

Ms. Jackson Lee [continuing]. Proceed with the individuals on 
this important issue as a Member of the Homeland Security Com- 
mittee. I thank you. This is a major question for our community 
cyber security. 

Thank you, Mr. Chairman. Thank you, Mr. Udall. 

Chairman Boehlert. Thank you very much. Mr. Udall, you have 
two minutes remaining. 

Mr. Udall. Thank you, Mr. Chairman. It might be, I think, of 
some interest to the Committee that when the MOU is signed, per- 
haps there is a way to get a further update as to how that might 
unfold and I don’t know whether we would need to do that formally 
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or informally, but I would make that request to the two of you 
today and 

Dr. McQueary. I would be happy to do that. 

Mr. Udall [continuing]. The Chairman as well. Do you have — 
when we talk about the funding, Dr. McQueary, you mentioned 
some of the criteria you used. Did you cover all of the criteria that 
had been involved in determining how this cyber security money 
will be directed and where you will focus those initial efforts? 

Dr. McQueary. Well, initially, when we — when our budget was 
constructed, our intent was to focus on the forensics aspect of cyber 
security and also attribution, those being two areas that appeared 
as though we could make a contribution in that area. I think that 
we will be continually examining what our role is, because, as you 
know, the IAIP organization did not have — in fact, it does not 
today, have an Under Secretary that leads that effort yet, although 
a nomination has gone forth for that, and we are hopeful that that 
will be approved expeditiously. And so we will be working very, 
very closely with the IAIP people to make sure that we do have the 
proper amount of budget and the right scientific areas being fo- 
cused in support of their conclusions on what we need to be doing. 

Mr. Udall. The — your presence today and the Chairman’s com- 
mitment to this whole area underlines the crucial nature of it. I do 
think — if I could just make a general comment, we all have work 
to do to educate the American public as to the threat we face. Like 
so many other areas in this modern society in which we live, we 
take for granted a lot of the conveniences, a lot of the systems that 
make our lives easier than they might have been 100 years ago. 
And I think anything you can do to help us, we can help — do to 
help you in that mission, I think, would be time well spent. I 
think — I am reminded of the movie “Catch Me If You Can”. I don’t 
know if you have all seen that, maybe that has been mentioned 
today, but in a way, we want to recruit some of those people that 
fit the model of that young man in that movie who would be in- 
clined to, because they want the adventure, I think, of breaking 
these systems and getting into places where other people haven’t 
been and see if we can bring them to the side of us and create a 
socially productive avenue, so we say, for those young hackers out 
there. We ought to be looking at that. That is an opportunity, I 
think, as well as a threat. 

Thank you, Mr. Chairman, and again, I want to thank the panel. 

Chairman Boehlert. Thank you very much. Dr. McQueary, 
where is the research going to be focused in DHS? Who is going 
to be doing it? 

Dr. McQueary. For cyber security specifically? 

Chairman Boehlert. Right. 

Dr. McQueary. It will be conducted by the Science and Tech- 
nology Directorate, yes, sir. 

Chairman Boehlert. All right. 

Dr. McQueary. And that is the role that we 

Chairman Boehlert. Have you earmarked where within your 
operation? 

Dr. McQueary. Where specifically within 

Chairman Boehlert. Right. 

Dr. McQueary [continuing]. My organization? 
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Chairman Boehlert. Have you identified people and 

Dr. McQueary. Yes, we have. In fact, we have 

people 

Chairman Boehlert. People and dollars? 

Dr. McQueary. People and dollars, yes. Yes. 

Chairman Boehlert. That is good. Could you provide that for 
the record 1 

Dr. McQueary. That was a — yes, sir. 

Chairman Boehlert [continuing]. At your convenience? All 
right. The Chair recognizes Ms. Lofgren. 

Ms. Lofgren. Thank you, Mr. Chairman. I would also like to 
offer my apologies, as several other Members have. I am also a 
Member of the Judiciary Committee, and I also was tied down in 
a markup all morning, so I missed your testimony, although I have 
read it. And I appreciate the Chairman’s calling this hearing. I 
would note, I am a Member of the Homeland Security Committee 
and ranking on the Cyber Security Subcommittee, and we have 
beaten Homeland Security to the punch on this hearing. And so I 
will see you, I guess, next week as well on some of these issues. 

Chairman Boehlert. As we all will — several of us will. 

Ms. Lofgren. Right. I do want to just briefly return to one issue 
and explore another, and then I know the lunch hour is here. As 
I am sure you recall, Dr. Bement, there was concern last Congress 
about the proposal to shift some NIST activities to DHS. And the 
concern really — and this committee, on a bipartisan basis, objected 
to that, and in the end, Congress did not approve that shift. I am 
sure you are aware that there is anxiety in the country about the 
detailing of staff by NIST to DHS and whether that has the effect 
of accomplishing administratively what the Congress did not ap- 
prove last Congress. I am not suggesting that is the case. I would 
like to explore that with you. 

Dr. Bement. I would say that — I am sorry. 

Ms. Lofgren. The question really has to do is what are they 
doing specifically? I know you say there is a detailed MOU, but 
specifically, I would like to know the nature of that — their activi- 
ties relative to encryption. Can you address that? 

Dr. Bement. To my knowledge, there is no work going on in 
encryption at the present time. We have two people detailed to the 
Department of Homeland Security. One is providing a coordination 
role between DHS and NIST in terms of acquainting DHS with our 
cyber security efforts. Now the other person is working with 
Science and Technology Directorate in, working with Dr. Albright 
in back of me, as a matter of fact, in developing a national strategy 
for DHS and standards development. And of course, that is our 
area of expertise 

Ms. Lofgren. Right. 

Dr. Bement [continuing]. So we are willing to assist — I mean, we 
are happy and anxious to assist DHS in that area. And as far as 
the issue that you brought up, we are very grateful to the Com- 
mittee for recognizing the importance of the independent role that 
NIST plays with the private sector in developing guidelines and in 


lr rhis information is provided in Dr. McQueary’s answers to post-hearing questions, located 
in Appendix 1. 
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developing specifications and standards in the area of cyber secu- 
rity. And anything that we do with other agencies, we preserve 
that independence and that integrity, so I wanted to assure you of 
that. 

Ms. Lofgren. I wonder if I could — I know you are going to pro- 
vide the draft MOU to the full Committee. I — as a Member of the 
Homeland Security Committee, it would be especially helpful to me 
if I could get a copy of that prior to our hearings next week, if I 
could ask that favor. 

Dr. Bement. We — I think the signing will be taking place on 
Monday. 

Dr. McQueary. I believe the 19th is the day that we did have 
that set up. 

Dr. Bement. The 19th of May, and we will provide a copy to you 
as soon after it is signed as we can. 

Ms. Lofgren. Let me ask another question relative — it is actu- 
ally to funding, and I know that probably people who head bureaus 
and directorates and departments or — and are probably discour- 
aged from complaining about their funding to Congressional Com- 
mittees. But I am concerned about whether there is sufficient fund- 
ing to do some of the things that I think are essential to the na- 
tional security. One of the issues that has been discussed infor- 
mally at the Homeland Security Committee is the lack of — or at 
least apparent lack of rigorous analysis of biometric standards. And 
what are we looking for in terms of ease of use, reliability, 
scalability, et cetera, et cetera? 

And I am wondering — it seems to me that the absolute best home 
for that kind of analysis is NIST, because it is a standards issue. 
It is not a policy issue. It is not a political — it is a standards issue. 
And I know last year, I asked NIST to provide me with information 
about biometrics. You very kindly responded, but it was not origi- 
nal research. It was sort of a compilation of what is out there, and 
I will say it was rather thin. Is NIST sufficiently funded to accom- 
plish that kind of biometrics analysis and standard setting if the 
Department of Homeland Security were to ask you to do so? 

Dr. Bement. We certainly have the competence to do that and 
until now, most of the resource that has been going into that area 
has partly come out of our base program. Part of it has been pro- 
vided by DARPA. 

Ms. Lofgren. So we would need to provide 

Dr. Bement. Part of it has come from 

Ms. Lofgren [continuing]. Additional funding? 

Dr. Bement [continuing]. Department of State, Department of 
Justice. And in our ’04 budget request, we have requested that $1 
million of additional funding in order to beef up our effort in this 
area. So it is in our ’04 budget request. 

Ms. Lofgren. Is $1 million enough to actually accomplish that? 

Dr. Bement. No, but it is all we could work in. 

Ms. Lofgren. All right. I — how much would you need if the DHS 
were to ask you to accomplish that function quickly and reliably? 
What would the tag be, do you think? 

Dr. Bement. We feel it would be $3 million. 

Ms. Lofgren. All right. Thank you very much, and I see my time 
is expired. 
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Mr. Ehlers. [Presiding.] We will proceed with a brief second 
round of questions. I will kick off a few. First of all, Dr. McQueary, 
you have got a blank piece of paper in front of you for what you 
are going to do. And my question is — I have several questions re- 
lated to that. Who is going to perform the cyber security research 
for you? Are you planning to hire staff members? Do you plan to 
have — use grants to universities or contracts or grants with the 
private sector companies or other federal agencies? What do you 
see as developing here? 

Dr. McQueary. I see it as being a combination of all of the 
things that you just talked about. The construct of the Science and 
Technology Directorate is such that we will largely be in the role 
of managing the programs that will be executed, both the federal 
and national labs, private sector, as well as university academia, 
if you will. And so we will have the leadership role. In fact, we 
have about four people already in roles, which I touched upon ear- 
lier, that are detailed to us with — and have experience in the cyber 
security area. So we will provide the leadership, oversight, program 
management responsibility, if you will, and contract that work out 
into the various sectors you talked about, always looking for where 
the top quality work is being done to capitalize upon that. 

Mr. Ehlers. Okay. And do you think cyber security will get the 
attention it needs? Are you going to have sufficient funds to do all 
of the things you are supposed to do in your area? And given all 
of the different competing needs that you will have to deal with, 
is cyber security going to get the attention it needs? 

Dr. McQueary. Well, it certainly has the attention — has my at- 
tention, and I have the responsibility for constructing the — a budg- 
et and making the proposal to Secretary Ridge as to what we 
should do there, so if we do not get the sufficient attention, then 
I am the first person that one should come to to say why not, be- 
cause I have that responsibility in Science and Technology. 

Mr. Ehlers. Okay. Our concern would be that it would just be 
considered just one more aspect of infrastructure protection in the 
overall scheme of things in DHS. 

Dr. McQueary. I am sorry, I missed the question. 

Mr. Ehlers. I am just worried that this may just be considered 
one other aspect of infrastructure protection within DHS and actu- 
ally be competing with all of the different 

Dr. McQueary. I believe that we will see some organizational re- 
structuring very shortly within DHS that will, I hope, illustrate to 
you that we do take this issue very, very seriously. 

Mr. Ehlers. Okay. And something else. I don’t know if — I would 
be interested in what all of you have to say, but perhaps you don’t 
have the figures with you and want to respond in writing, which 
would be fine. I am curious what is being spent on cyber security 
R&D by the Federal Government in total and how much by the pri- 
vate sector. Do you have an idea of this or would it be better to 
just ask you to send in the information? 

Dr. McQueary. I do not have the information, sir. 

Mr. Ehlers. All right. Dr. Colwell, if you have 

Dr. Colwell. Right now, we have about $53 million, but that 
can go up to as high as $75 or $76 million, depending on the out- 
come of some competitions that are in play at the moment for the 
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potential for a center award and a potential for scholarships and 
so forth. But we see, pretty much, coming close to the authorized 
number. 

Mr. Ehlers. Okay. Dr. Bement. 

Dr. Bement. Well, I can only speak for NIST. As I indicated in 
my testimony, we currently have $24 million of appropriated and 
base funding going into cyber security. We also have additional 
funding coming from other agencies: the National Security Agency 
and DARPA. 

Mr. Ehlers. Um-hum. 

Dr. Bement. I think our DARPA account is around $5.2 million, 
so adding that all together, it would still be less than $50 million 
in NIST. As far as the Federal Government at large or the Nation 
at large, I don’t really have those numbers. 

Mr. Ehlers. Okay. And Dr. Tether. 

Dr. Tether. I also don’t really know what the Federal Govern- 
ment is spending, but at DARPA, we are spending — in ’04, we will 
be spending around $50 million in cyber — in information aware- 
ness. But there is more that we are spending that I actually will 
give you for the record, because we are doing cyber security with 
other programs. For example, we are building networks. And then 
there are activities within the building of a network, which is also 
to make the network secure, so it is embedded. I will try to pull 
that out for you. But it might be another $50 million, so it might 
be a total of 100. And then we have the classified work, which I 
will tell you separately. 

Mr. Ehlers. All right. And are you also including in your work 
efforts to prevent damage from electromagnetic pulses, or is 
that 

Dr. Tether. No. 

Mr. Ehlers [continuing]. Considered totally separately? 

Dr. Tether. That is considered totally separate, yeah. 

Mr. Ehlers. Okay. But by and large, Defense Department facili- 
ties are hardened against that? 

Dr. Tether. They are hardened against that. 

Mr. Ehlers. Yeah. 

Dr. Tether. There are requirements for them to be hardened 
against that. 

Mr. Ehlers. Do you have any idea to what extent the private 
sector or — is hardened against EMP? 

Dr. Tether. I would be surprised — well, first of all, they — all — 
everybody has, usually, a surge suppresser 

Mr. Ehlers. Right. 

Dr. Tether [continuing]. You know, which gives them some 
hardening, but that would be, probably, the limit. I don’t know of 
anything else. 

Mr. Ehlers. I would think banks, at least, would want that. 

Dr. Tether. You would think so. 

Dr. Bement. I think they would still be vulnerable against pulse 
power attack. I mean, if 

Mr. Ehlers. Yes. 

Dr. Bement. If an attacker had the capability 

Mr. Ehlers. Yeah, a surge protector won’t do too much. 

Dr. Bement. No, it won’t do you very much. 
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Dr. Tether. No. No. 

Mr. Ehlers. No. Okay. My time is expired. Anyone else wish 
to — Mr. Miller, you are recognized for five minutes. 

Mr. Miller. One last set of questions. Is it Dr. Bement? 

Dr. Bement. Bement. 

Mr. Miller. Bement. Okay. What you said in response to Ms. 
Woolsey’s questions were very reassuring to me that what we need 
is knowledge, education, and discipline. The security is now avail- 
able, I think you said, through protocols, metrics, and standards, 
that we have very smart people working on this, and that there is 
nothing stopping us from doing it, from being secure. And I — and 
that is greatly reassuring to me. And Dr. McQueary pointed out 
correctly, of course, that anyone in the private sector is going to 
know the risk to their business of not being secure, of suffering an 
attack. 

Dr. Bement. Yes. 

Mr. Miller. What I am concerned about, somewhat, is that there 
is — there will always be people who do things on the cheap, who 
don’t — do not show knowledge, education, and discipline. And what 
are we doing to make sure that when people in the private sector 
do their kind of assessment of what it costs to adopt the security 
measures they should adopt versus the risk that they face if they 
don’t, that they take into account not just the risk to them, to their 
business, but the risk to others that they deal with — the ripple ef- 
fect that we talked about earlier? The loss of the power grid, obvi- 
ously, would have a massive effect. I think you mentioned, or Dr. 
Tether mentioned, the possibility that — or it may have been you, 
that hospitals could be shut down. Obviously there is risk to others 
and not just the direct loss and disruption to the victim of an at- 
tack, but of all those deal with. Are we doing anything for requir- 
ing anyone in the private sector to adopt security measures? Have 
we thought through whether the standards that we are developing, 
the protocols, form the basis of a standard of care for civil liability? 
What are we doing to make sure that people in the private sector 
think through the risk, not just to them, but on down the line? 

Dr. Bement. I can tell you this much that many of the profes- 
sional societies who have begun to pay attention to these risks, 
which are really the product of the probability of the event plus the 
consequence — times the consequence of the event, have begin — 
have begun to develop risk models with their constituents so that 
industry is better informed about what the consequence of a cyber 
attack might be, or any other vulnerability might be. I have to say 
that, as a Nation, our greatest vulnerability is indifference. 

I think it was Dr. McQueary that pointed out that 85 percent of 
our industry and productive capacity is owned by the private sec- 
tor. And yet, all of the surveys that I have looked at recently in 
surveying the private sector on what they are doing in terms of ei- 
ther vulnerability assessment or dealing with risks, terrorist risks, 
indicate that they don’t really see themselves as a target, which is 
sort of indifference. And in some respects, I think it may, in order 
to bring it home to them, require some of the kind of exercises or 
demonstrations that took place this last weekend to actually dem- 
onstrate what the consequence might be of these attacks so that 
CEOs and other leaders in industry will have it brought home to 
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them, what it could, in fact, mean to their manufacturing oper- 
ation, their logistics train, their supply train, all of their other ele- 
ments that they have to deal with on a day-to-day basis. And I feel 
that that is our biggest vulnerability right now is they just haven’t 
quite stepped up to the plate. 

Mr. Miller. Do you know if the insurance industry has looked 
at cyber security as a liability issue? 

Dr. Bement. I am sure they have. Yes, indeed, they have. The 
insurance rates have gone up dramatically since 9/11, so there 
clearly is a payback in being able to demonstrate that you are 
much better protected against these types of attacks. 

Mr. Miller. Well, is it the only 

Dr. Bement. It is not only insurance; it is the reinsurance rate 
as well. 

Mr. Miller. Right. Well, yes, the — I imagine the potential liabil- 
ity is massive. It would require going to the reinsurance markets. 
Is it being excluded for policies? Is it being included in policies? Are 
insurance companies — liability insurers having a word of prayer 
with their insureds about what they are doing? 

Dr. Bement. Well, I must confess this is getting a little bit be- 
yond my ken or my area of expertise, so I really can’t 

Mr. Miller. But it is a strong economic incentive 

Dr. Bement. Yes. 

Mr. Miller [continuing]. To do the right thing? 

Dr. Bement. I would think so, yes. 

Mr. Ehlers. The gentleman’s time has expired. Mr. Udall, do 
you have any questions? 

Mr. Udall. Mr. Chairman, I had a last question, hopefully, 
thankfully, although this is a topic, which we will revisit. Dr. Teth- 
er, I was just curious in looking over your material you compiled 
for the Committee and the good work you did here in describing 
network centric warfare and suggesting we maybe aren’t quite 
there yet, but we are certainly network-dependent. Have you got- 
ten any indication out of the recent conflict in Iraq that the Iraqis 
had any kind of cyber security tools that we hadn’t anticipated or 
that there were, perhaps, other countries or other individuals de- 
veloping those for the Iraqis or for future opponents? 

Dr. Tether. The — I don’t know of anything. That doesn’t mean 
that there wasn’t something. GPS jamming was the only thing that 
I know about. 

Mr. Udall. I am sure you are going to take a look at that, and 
I would bet that some of this may well be classified, but we always 
have, when we have these encounters, have a chance to then re- 
view our mistakes as well as our successes. 

Dr. Tether. Yes, and that is all being done. 

Mr. Udall. I hope we will — I know we will do that. 

Dr. Tether. Yeah. 

Mr. Udall. And it strikes me that the military, once again, is on 
the cutting edge of some of these technologies and we look at the 
history of the Armed Services, and much of what was generated in 
the Second World War is now used in civilian activities. One of my 
real interests, and I share with our Chairman of the Committee is 
energy, and the military is leading the way in certain new tech- 
nologies: fuel cell technology, photovoltaic uses and others because 
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of the transformation we are trying to put underway in our mili- 
tary. So I think you all have a very — I just wanted to conclude by 
saying you, of course, have a very important role to play in this. 
And we look forward to this all-star team working together 
seamlessly to help lead us to a more cyber secure future. 

Dr. Tether. Well, it is clear with the — private industry really 
has not been able to do the tradeoff of what does it cost them to 
not have it. It is very clear for the military, when we are becoming 
really dependent upon that network being there, what happens if 
that network is not there. So the tradeoff is, you know, very clear. 
There is no — we have to make those networks secure, otherwise ev- 
erything we are building for the future will not work, and that 
would be a disaster, I mean, to the national security. 

Mr. Udall. Mr. Chairman, I have many more questions, but I 
think the lunch hour does beckon. I would yield back my remaining 
time. I thank, again, the panel. 

Mr. Ehlers. The gentleman yields back his time, and I am sure 
the panel appreciates it, and the audience. I just wanted to pick 
up on the last two comments. First of all, perhaps it is only 
through higher insurance rates that people will become aware of 
the need for protecting their equipment. And that goes to your last 
point, too, Dr. Tether, that most people and most businesses don’t 
realize the risk and therefore they don’t take the trouble to protect 
against it. 

But it is a bit ironic, Dr. Bement, that you mentioned the electric 
power industry, because I, for roughly five years now, I have been 
telling my constituents in town meetings, and I had to, because I 
voted against the Defense appropriations for three years, because 
I thought they were funding the wrong things. And of course, all 
of the veterans show up at my town meetings and castigate me for 
not supporting Defense. But I simply pointed out that what we are 
doing is pouring a lot more money into the same old systems, and 
the real danger is not a major nation attacking us, it is terrorists 
attacking us. Unfortunately, I was correct, and so we are all now 
alerted to that. 

But the other example I give my constituents now, because they 
are all terrified about aviation, and I simply say, “The problem is 
we always fight the last war.” And we are now making our airlines 
super safe, and we have to worry about port security and then the 
power industry. I have said, for a number of times, “Give me 20 
knowledgeable people about computers and explosives — and a little 
explosives, and I could bring down the power grid in one night.” 
And of course, we could get it up again in probably four or five 
days, but can you imagine what the cost is of four or five days’ pro- 
ductivity to our nation, particularly if this can happen repetitively? 

So it is — the best way, of course, is to stop terrorism at its 
source. It is impossible to really totally defend against it here, but 
we can certainly do much more in defending against terrorism 
within our borders than we are currently doing. And we tend not 
to wake up. As you say, they are — it is indifference. The indiffer- 
ence goes away with each specific attack, but then we tend to pre- 
vent to guard against that attack again. And there is a plethora 
of possibilities for terrorist activity. 
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I want to thank the panel very much. It is been an outstanding 
panel. You have each represented very well the expertise available 
within your agencies or departments. And I certainly appreciate 
your attendance here. The information you have given will be, in- 
deed, very valuable to us as we continue our deliberations. Thank 
you very much for being here. With that, the hearing is adjourned. 

[Whereupon, at 12:20 p.m., the Committee was adjourned.] 
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Answers to Post-Hearing Questions 

Responses by Dr. Charles E. McQueary, Under Secretary for Science and Technology, 
Department of Homeland Security 

Questions submitted by Chairman Sherwood Boehlert 

Ql. You stated at the hearing that you would provide for the record information on 
the people and dollars that the Department of Homeland Security (DHS) Science 
and Technology directorate plans to devote to cyber security research and devel- 
opment activities in fiscal years 2003 and 2004. Please do so. In addition, to 
what extent do you expect your fiscal year 2003 funding for cyber security re- 
search and development to be spent for support of DHS personnel ? For support 
of programs at other federal agencies and national laboratories? For grants and 
contracts to universities and companies? (When providing the information re- 
quested in this question, please distinguish between research and development 
programs and education and workforce training programs.) 

Al. The Science and Technology Directorate’s current plans for people and funding 
devoted to cyber security research and development in FY 2003 and FY 2004 are 
as follows: 

FY 2003: 2 staff members within the DHS Science and Technology Directorate and 
funding of approximately $5 million. 

FY 2004: 2 staff members within the DHS Science and Technology Directorate and 
funding of approximately $7 million. 

For FY 2003: The DHS Science and Technology Directorate plans to fund about 
$1 million per year at universities through the National Science Foundation (NSF). 
A contract with a private firm for about $1 million has been awarded to continue 
work addressing insider threats. In addition, proposals with a total value of about 
$3 million over three years are pending from the National institute of Standards 
and Technology (NIST), a nonprofit research institute and another federal agency 
for additional cyber security research and development; until these are actual 
awards, it is not appropriate to estimate the actual amounts to these entities. We 
would he pleased to provide this information after actual awards are made if this 
is desired. Each of these existing and pending efforts are research and development 
activities; none are education/workforce training efforts. 

Q2. At the hearing, you said that if the funding you have proposed for cyber security 
research and development for fiscal year 2004 “is not adequate,” you would 
“have no problem whatsoever in revisiting what the budget allocation is.” When 
will you begin reviewing the factors that determine what level of spending is 
needed? How will you decide if the level is “not adequate”? When will you let 
us know whether you believe the allocation should be changed? 

A2. The Science and Technology Directorate has reviewed its proposed FY 2004 
funding and currently believes the proposed amount for cyber security research and 
development (R&D) is adequate. However, we continue to assess our research and 
development plans in the context of the national effort in cyber security. If we deter- 
mine that the proposed amount of our funding is not adequate, we would first evalu- 
ate the impact of reprioritization and re-allocation of existing budgets. If believed 
necessary, we would bring a request for additional funding forward for consideration 
through the appropriate mechanisms. Additionally, in order to accurately determine 
what level of funding is needed for cyber security research and development, we will 
continue to work with other agencies with R&D responsibilities, such as NIST and 
NSF, to identify requirements and gaps in funding. This coordinated approach will 
assist in making the right investments in this area while preventing unnecessary 
and wasteful duplication. 

Q3. In other forums, you have stated that most of the focus of the DHS Science and 
Technology Directorate at first will be on shorter-term technology development. 
How will you balance technology development and basic research in cyber secu- 
rity? Do you expect that balance to change over time? 

A3. The Science and Technology Directorate recognizes there are some technology 
needs that require immediate attention; some of these needs were identified in the 
National Strategy to Secure Cyberspace, while others have been identified by the 
critical infrastructure protection community. The Science and Technology Direc- 
torate believes that those cyber security issues which require basic research to solve 
are more within the scope of the National Science Foundation than our Directorate. 
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Our long-term portfolio plan may address basic research to some degree through 
programs directed out of the cyber security research and development center. 

Q4. At the hearing, you testified that the Committee will “see some organizational 
restructuring very shortly within DHS that will. . .illustrate to [the Committee] 
that we [at DHS] do take [cyber security] very, very seriously.” Since the hearing, 
there have been press reports that DHS will establish an office to execute the 
President’s National Strategy to Secure Cyberspace. Please tell us for the record 
what restructuring is intended and when it will occur. What will the responsibil- 
ities and size of the new office be? 

A4. The reference to the DHS restructuring around cyber security referred to the 
subsequent announcement of the creation of the National Cyber Security Division 
(NCSD) within the Information Analysis and Infrastructure Protection (IAIP) Direc- 
torate. The NCSD incorporates some of the operational capabilities of the Federal 
Computer Incident Response Center (FedCIRC), the National Communications Sys- 
tem, and the National Infrastructure Protection Center (NIPC), along with new 
streamlined and consolidated outreach and awareness capabilities recently formed 
in the Directorate. The NCSD is adding new capabilities for vulnerability assess- 
ments, risk reduction methodologies, threat analysis, and enhancing training and 
workforce development activities in the public and private sectors. At present, it is 
expected that the NCSD will have about 40 FTEs total and a budget of about $86 
million, including the funding for civilian salaries and operating expenses. 

The Science and Technology Directorate has also organized its cyber security re- 
search and development with the intent of making it a visible and important compo- 
nent of its total research and development effort. 

Q5. DHS, through its planned work with critical infrastructure suppliers, has an op- 
portunity to connect researchers with companies that have real, unsolved cyber 
security problems. How will DHS make these connections? How will the issue 
of sensitive critical infrastructure information be handled in these situations? 

A5. The Science and Technology Directorate is establishing a cyber security re- 
search and development center that will enable partnerships with academia, private 
industry and national laboratories. A principal purpose of this center is to engage 
the researchers with the product developers and accomplish technology transfer to 
the companies with specific needs. This center will engage the critical infrastructure 
companies through mechanisms such as industry associations and consortia, bridg- 
ing the gap and connecting companies with researchers and developers as required. 
In addition, the IAIP Directorate will be the chief customer to the center and will 
deliver needs and requirements based on their interaction with the critical infra- 
structure sectors. 

The protection of sensitive critical infrastructure information is recognized as an 
overarching issue of high importance, not only within the context of cyber security 
R&D but across the Department. In accordance with the authorities provided in the 
Homeland Security Act of 2002, the IAIP Directorate developed proposed procedures 
for handling Critical Infrastructure Information. The procedures detail the receipt, 
care, storage and marking of the submitted data. These proposed procedures were 
released for public comment and are now undergoing final refinement. Once these 
procedures are finalized, the Science and Technology Directorate will adhere to 
those policies to ensure that critical infrastructure information voluntarily sub- 
mitted by the private sector is handled appropriately and protected accordingly. 

Q6. How will DHS work cooperatively with other agencies on cyber security research 
and development? Specifically, 

Q6a. You testified that a Memorandum of Understanding between National Institute 
of Standards and Technology (NIST) and DHS will be signed shortly. Will 
DHS provide funding to NIST for specific projects? Are there particular areas 
in cyber security that you are planning to work together on? 

Q6b. Will DHS provide funding to support existing or new cyber security grant pro- 
grams at the National Science Foundation and the Defense Advanced Research 
Projects Agency? 

Q6c. Is DHS drawing on the expertise in the Infosec Research Council (IRC) and the 
High Confidence Software and Systems group within the Networking and In- 
formation Technology Research and Development Interagency Working Group? 
How will DHS be interacting with these interagency groups? 

A6a,b,c. The Science and Technology Directorate’s cyber security portfolio manager 
has been, and continues to be, in dialogue with the National Science Foundation 
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and NIST, both individually and cooperatively. NSF, NIST and DHS (S&T) recently 
agreed to formally organize their efforts and work collaboratively to identify the 
R&D agenda appropriate to each agency. As stated previously, proposals are pend- 
ing from NIST and others; until these are actual awards, it is not appropriate to 
estimate the amount that will be awarded to NIST. The Science and Technology Di- 
rectorate will provide co-funding to NSF and NIST on those programs determined 
to meet requirements of our customers. At present, there are no plans to fund new 
or existing cyber security grant programs at the Defense Advanced Research 
Projects Agency (DARPA). 

The Science and Technology Directorate is also participating with the Infosec Re- 
search Council (IRC) where interaction across the government cyber security R&D 
stakeholders is accomplished. In addition, we participate in the newly established 
National Science and Technology Council (NSTC) Interagency Working Group on 
Critical Infrastructure Information Protection, created as an interagency R&D co- 
ordination working group. The Department of Homeland Security is not formally 
part of the Networking and Information Technology Research and Development 
Interagency Working Group but does interact with the relevant programs through 
the Infosec Research Council and the Interagency Working Group on Critical Infra- 
structure Information Protection. 

Q7. The Cyber Security Research and Development Act makes the National Science 
Foundation (NSF) the lead agency for cyber security research and development, 
as Dr. Colwell testified at the hearing. In what ways are you interacting with 
NSF as it acts as the lead agency in this area? Does NSF review your budget 
proposal for programs in this area? Does NSF lead the agencies in a group effort 
to determine overall cyber security research and development priorities, and if 
so, how? 

A7. As mentioned previously, the Science and Technology Directorate coordinates 
regularly with NSF to understand the existing cyber security R&D programs, the 
agenda and requirements not currently addressed, and identify the gaps. These 
interactions take place via the coordination groups mentioned in the response to the 
previous question, as well as on an individual basis. The Science and Technology 
Directorate has not relied on the NSF to directly set the agenda for DHS’s cyber 
security research and development. Rather, DHS’s cyber security R&D agenda is 
being driven by R&D priority areas as determined by the Department’s mission and 
scope, e.g., those areas related to the needs and requirements that support the tech- 
nology necessary for the Nation’s critical infrastructures to operate and provide 
services. 

Q8. The Committee believes that it is important to train skilled professionals to exe- 
cute information technology security in the private sector and at government 
agencies, as well as scientists and engineers to perform cyber security research 
and development. What do you see as particular workforce needs in cyber secu- 
rity? What actions is DHS taking or planning to take to provide education and 
training in the cyber security area? 

A8. The Science and Technology Directorate recognizes the need for cyber security 
experts that are well trained in technology, science, policy and privacy concerns in 
order to perform the advanced research and development of effective tools to protect 
our information systems and networks. Particular workforce needs are wide and 
varied in this area, ranging from programmers and developers that understand and 
respect cyber security concerns, to network administrators with an understanding 
of risk and appropriate security posture. While the mission of university education 
and curriculum development at the university level is something that falls more 
within the scope of NSF than DHS, we hope to play a role in providing information 
about industry educational needs to NSF. In addition, the S&T Directorate has a 
Homeland Security Fellowships/University Program that is specifically focused on 
encouraging and supporting U.S. students to study and enter fields relevant to 
homeland security; the field of cyber security is certainly one of those fields we will 
support. The Science and Technology Directorate will cooperate with IAIP, NSF, and 
the Office of Personnel Management to encourage and facilitate the expansion and 
interest in the CyberCorps program, the Cyber Defender program, and others that 
may be identified, to address the Nation’s needs for a work force trained adequately 
to implement effective cyber security programs in both public and private sectors. 
By executing its mission well, the Department’s cyber security research and develop- 
ment center will attract some of the best and the brightest to this field. 
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Questions submitted by Representative Ralph M. Hall, Minority Ranking 
Member 

Ql. The Department of Homeland Security (DHS) will establish performance criteria 
for acceptable cyber-protection technologies. What exactly will this entail and 
who will be responsible for certifying that these technologies meet DHS perform- 
ance criteria ? Also, will government procurement be limited to technologies that 
meet these DHS standards ? 

Al. The Science and Technology Directorate will work with the existing processes, 
and particularly with NIST, for the development, review, and establishment of ap- 
propriate performance criteria. The Department of Homeland Security supports cer- 
tification by private sector bodies/programs that technologies meet established per- 
formance criteria; this position is consistent with existing “standards/certification” 
processes in other areas. At present, government procurement of cyber-protection 
technologies is not limited to products that meet specific criteria. 

Q2. DHS intends to establish a DHS R&D Cyber Security Center in cooperation with 
NSF and NIST. How much funding will DHS allocate to this Center ? What will 
be the role of NSF and NIST in the Center’s establishment ? 

A2. DHS’s Science and Technology Directorate will establish a cyber security re- 
search center as an organizational entity. Once the center is established, we antici- 
pate that a significant portion of the cyber security R&D funding will flow through 
this center. NSF and NIST have provided valuable input in the establishment of the 
center. The DHS Science and Technology Directorate expects to allocate funding of 
$1 million to the Center in FY 2003 and $2 million in FY 2004 (these amounts are 
approximates until contracting is finalized). 

Q3. In establishing the near-term research agenda for DHS, which industry sectors 
did you consult with in developing this agenda, and what role did industry play 
in formulating your near-term research agenda ? 

A3. The Science and Technology Directorate developed its near-term cyber security 
research agenda using the areas identified in the National Strategy to Secure Cyber- 
space and from our chief customer, the Information Analysis and Infrastructure Pro- 
tection Directorate. The National Strategy to Secure Cyberspace was developed 
based on extensive interactions with and input from the private sector, including 
sector-specific industry groups, public town hall meetings, and extensive input re- 
ceived in response to a public draft of the document. Additional input came from 
interactions with other agencies (such as those through the Infosec Research Coun- 
cil). Subsequent private sector input to cyber security research and development 
needs and requirements will be sought through the cyber security research and de- 
velopment center. 

Q4. You mentioned in your testimony that your directorate is taking steps to estab- 
lish key relationships with the major cyber security R&D organizations. What 
are these organizations; are they both governmental and in the private sector? 

A4. The Science and Technology Directorate interacts regularly with the govern- 
ment cyber security R&D organizations both directly and through groups such as 
the Infosec Research Council and the newly-established National Science and Tech- 
nology Council (NSTC) Interagency Working Group on Critical Infrastructure Infor- 
mation Protection (IWG on CUP), created under the NSTC as an interagency R&D 
coordination mechanism. Although DHS is not formally part of the Networking and 
Information Technology Research and Development (NITRD) Interagency Working 
Group Program crosscut, DHS does interact with the relevant programs in the 
NITRD through the IRC and the IWG on CUP. Government agencies that we have 
interacted with include NSF, NIST, Defense Advance Research Projects Agency 
(DARPA), National Security Agency (NSA), Department of Energy (DOE), Depart- 
ment of Defense (DOD), Office of Science and Technology Policy (OSTP), Advanced 
Research and Development Activity (ARDA), as well as Canada, the United King- 
dom, and Australia. We have not yet initiated formal relationships with the private 
sector; however, we are planning a workshop to include private companies in mid- 
summer to start this process. 
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Answers to Post-Hearing Questions 
Responses by Rita R. Colwell, Director, National Science Foundation 

Questions submitted by Chairman Sherwood Boehlert 

Ql. In your testimony to the Committee, you said that cyber security researchers will 
be told about National Science Foundation (NSF) funding opportunities for cen- 
ters, like the competitions for Science and Technology Center grants. However, 
the Cyber Security Research and Development Act authorizes a program specifi- 
cally for Computer and Network Security Research Centers. Will NSF run com- 
petitions specifically targeted at “Cyber Security Centers,” as required by the 
Act? 

Al. NSF is currently preparing a program solicitation entitled Cyber Trust; we ex- 
pect that it will be released toward the end of summer, 2003. The Cyber Trust an- 
nouncement will solicit proposals describing a range of types, including individual 
investigator, small group and center-scale projects. Thus, cyber security centers will 
be targeted in this competition. It is NSF’s intent to continue integrating center- 
scale projects into its existing research and education portfolio of activities at a rate 
that will nurture and sustain the emerging cyber security community in academe. 

Awards made in FY 2004 as a result of the Cyber Trust competition will com- 
plement awards in the agency’s current cyber security portfolio. As the Committee 
may be aware, NSF is already funding center-scale cyber security projects. For ex- 
ample: 

An Industry/University Cooperative Research Center (I/UCRC) on Cyber Protec- 
tion is currently being supported by an NSF planning grant. Building on a strong 
partnership between Iowa State University, Mississippi State University and the 
University of Kansas, as well as key industry partners including EDS, MPI Soft- 
ware Technology, and Amerind, this Center is planning to provide one of the first 
facilities dedicated to creating a simulated Internet for the purpose of researching, 
designing, and testing cyber defense mechanisms. By recreating critical components 
of the infrastructure, end-users and developers will be able to test security configu- 
rations and help researchers from a broad range of disciplines examine the policy, 
business, systems, and economic implications of cyber security innovations. 

The Georgia Institute of Technology’s Center for Experimental Research on Com- 
puter Systems has two primary intellectual thrusts that examine systems surviv- 
ability and security issues. The first deals with the development of a secure distrib- 
uted software infrastructure. The second thrust deals with adaptive management in 
distributed systems with a goal of tolerating failures, attacks, or performance over- 
loads while maximizing system performance. This center works closely with the 
Georgia Tech Information Security Center (GTISC), supporting many of the faculty 
in GTISC. 

Although the merit review process is not yet complete for the FY 2003 ITR com- 
petition, it is increasingly likely that several center-scale awards will be made in 
the area of cyber security. If interested, we would be pleased to share these awards 
with the Committee after they are completed. 

We plan to bring the leaders of these and future center-scale operations in the 
cyber security area together on a regular basis and to publicize them as a group. 
NSF’s Cyber Trust portfolio will include both the centers of excellence, as authorized 
by the Act, and smaller-scale projects, including single investigator projects. At NSF 
we have learned that a variety of coordinated funding approaches is most effective 
in building a strong, coherent research and education community. 

Q2. The Cyber Security Research and Development Act authorizes NSF to run a 
broad, cyber security grants program for individual investigators and small 
groups of investigators. You testified about ongoing work in this area and about 
how cyber security research funding at NSF has increased from $15 million in 
fiscal year 2002 to $30 million in fiscal year 2003. What is the schedule for 
awarding the new grants to be made from the fiscal year 2003 funding and how 
will proposals be solicited? Will there be a competition run specifically in cyber 
security, or will the cyber security proposals be solicited and evaluated as part 
of a more general Information Technology Research or Cyber Infrastructure so- 
licitation? 

A2. NSF’s FY 2003 competitions are drawing to a close at this time. Consequently, 
the agency expects to make many new awards between now and the end of the fiscal 
year. 
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During FY 2003, the agency ran several competitions that specifically targeted 
cyber security; these included the Trusted Computing program and the Data and 
Applications Security program. These two competitions yielded over 100 proposals. 
The proposals received have now completed the merit review process and NSF ex- 
pects to make between 30 and 40 new awards before the end of this fiscal year. 

In addition, the agency also emphasized the growing importance of cyber security 
in a number of other FY 2003 solicitations and program announcements, including 
the Information Technology Research (ITR) solicitation, the Embedded and Hybrid 
Systems (EHS) program announcement, the Networking Research Testbeds (NRT) 
program announcement and the NSF Middleware Initiative. Response to these so- 
licitations has been strong in the area of cyber security. If interested, we would be 
pleased to share these awards with the Committee after they are completed. 

Q3. The Cyber Security Research and Development Act emphasizes the importance 
of workforce development, and the Committee believes that it is important to 
train skilled professionals to execute information technology security in the pri- 
vate sector and at government agencies, as well as scientists and engineers to 
perform cyber security research and development. What do you see as particular 
workforce needs in cyber security ? 

A3. In order to determine the workforce needs to meet the cyber security demands 
of government and industry, NSF has held and will continue to hold discussions 
with the higher education establishment, and government and industry IT leaders. 

In June 2002 the American Association of Community Colleges (AACC) hosted an 
NSF supported workshop on cyber security education. This workshop examined the 
role of the community colleges in the preparation of cyber security professionals. As 
a result of this workshop, NSF has included cyber security education as a main com- 
ponent of the Advanced Technology Education (ATE) program. Through this pro- 
gram, NSF will be funding two projects related to cyber security, one Center of Ex- 
cellence in Cyber Security Education as well as providing planning grants for two 
more Centers. 

NSF and NIST are planning an invitational workshop of academic, industry, and 
government leaders to help assess the needs and identify the strategies necessary 
to prepare a world-class cyber security workforce. In order to facilitate educational 
innovation in cyber security, design concepts for new cyber security-related curricula 
will be devised. Implementation strategies will be discussed to determine the best 
way to deliver cyber security education to a broad audience. 

The workshop will focus its efforts on strategies for workforce investments in 
cyber security at the undergraduate and doctoral levels. It will also examine imple- 
mentation strategies to support faculty traineeships in cyber security enabling re- 
cent Ph.D. graduates and current IT faculty to pursue academic careers in cyber se- 
curity. 

Q4. The Cyber Security Research and Development Act authorizes NSF to provide 
funding for several activities designed to build this nation’s capacity for cyber 
security education, both of operational cyber security professionals and of future 
cyber security researchers. What steps has NSF taken to execute these programs, 
specifically: 

Q4a. Have programs been started to provide grants to institutions of higher edu- 
cation to establish or improve undergraduate and Master’s degree programs in 
computer and network security and to increase the number of students in these 
programs ? 

A4a. NSF has several programs that seek to establish or improve undergraduate 
degree programs in computer and network security, and to increase the number of 
students in these programs. 

Based on the recommendations of the AACC workshop, NSF has included security 
education as a major component of the Advanced Technology Education (ATE) pro- 
gram. Through this program, NSF is funding two cyber security projects and a Cen- 
ter of Excellence in Cyber Security Education as well as providing planning grants 
for two Centers. 

The Center of Excellence in Cyber Security NSF expects to fund in the next two 
months is a consortium of eight institutions of higher learning (two universities, five 
community colleges and one technical college) based in the Midwest. The Center will 
be funded to develop and implement degree programs in IT Security and Data As- 
surance technologies at the certificate, Associate’s and Bachelor’s level. The Center 
will also undertake a comprehensive outreach and support program to increase the 
number of students from under-represented groups in IT professions. In addition, 
Train-the-Trainer summer workshops will be developed for faculty from both two- 
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and four-year institutions throughout the region. This project has been approved for 
funding but has not yet been announced to the winners. 

The NSF-CompTIA Cyber Security Fast Track Training and Certification Program 
was a initiated this year as a supplemental award to an existing grant. This supple- 
mental award extends the mission of the National Workforce Center for Emerging 
Technologies (NWCET) to include the Computing Technology Industry Association’s 
(CompTIA) Security-i- certification program for cyber security instructors. The sup- 
plemental training program will train and certify 80 faculty from 60 community col- 
leges in a four month period. Participating faculty will produce best practices docu- 
mentation once they have begun instructing students. This documentation will be 
disseminated to other faculty via the web. 

The Federal Cyber Service: Scholarships for Service (SFS) program is specifically 
designed to address cyber security education issues. Though it preceded the Act, it 
does address the law’s intentions for capacity building and increased student in- 
volvement in cyber security through awards to some of the country’s leading aca- 
demic institutions. Since the inception of the program in mid-2001, SFS has made 
19 scholarship awards and 35 capacity building awards for a total of about §52.9 
million. As a result of this investment, the Federal Government will have recruit- 
ment access to the pool of 200 students currently supported at the 19 scholarship 
institutions. By the end of FY 2004, NSF expects the pool of students to grow to 
350. These individuals will all have degrees, BS, MS, or Ph.D.s in cyber security- 
related fields. All participating institutions have been designated as Centers of Aca- 
demic Excellence in Information Assurance Education (CAE/IAE) by the National 
Security Agency or equivalent. Four new schools have just been accorded Center 
status and their students will enter the program starting this fall. 

Q4b. Have programs been started to provide grants to institutions of higher edu- 
cation to establish traineeship programs for graduate students in computer and 
network security research and to enable these students to pursue academic ca- 
reers in cyber security after they graduate ? 

A4b. NSF’s primary support of graduate students in the cyber security arena is 
through research assistantship support in cyber security research and education 
grants. The increasing number of awards made in this area will support as many 
as several hundred graduate students in computer and network security in FYOS. 
It is expected that a significant percentage of these students will pursue academic 
careers upon graduation with the doctoral degree. 

In addition to support through research assistantships, graduate students can 
also be supported through traineeships and fellowships awards via programs such 
as the Integrative Graduate Education and Research Training (IGERT) and the 
Graduate Research Fellowships programs. NSF will continue to encourage the sub- 
mission of cyber security traineeship and fellowship proposals through these pro- 
grams, and will fund leading projects as they emerge. However the agency antici- 
pates that as for other fields of science, graduate student support will mainly be 
provided through research assistantships. 

SFS institutions are supporting graduate students who are uniquely qualified to 
enter academia as the next generation of cyber security faculty members. The pro- 
gram has recently been expanded to include active Ph.D. students. Plans are under 
development to increase both the number of yearly graduates and the overall capac- 
ity of the national higher education enterprise to produce the most qualified grad- 
uates and potential new faculty members in the field of cyber security. At the same 
time, the capacity building awards under SFS include activities that support the de- 
velopment of faculty members with expertise in the area of Information Assurance. 

Q5. How does NSF work with other agencies that have cyber security research and 
development programs ? 

Q5a. Do you coordinate overall federal goals with the other agencies, and if so, can 
you describe some of the technical milestones or goals in workforce develop- 
ment? 

A5a. NSF coordinates its investments in cyber security workforce development with 
other agencies in the following ways: 

The NSF Scholarships for Service program has helped the Federal Government 
achieve several milestones that are key to cyber security. Through the Federal 
Cyberservice Initiative, the Federal Government has increased access to talented 
cyber security students prior to graduation. NSF has coordinated with the National 
Security Agency (NSA) to make capacity building awards to qualified institutions 
that wish to achieve certification as NSA Cyber Security Centers of Excellence. 
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Awardees funded by NSF, NSA and the Department of Defense will come together 
at the 2003 Cyber Service/Cyber Corps Student Symposium. The Symposium, to be 
held at Carnegie Mellon University’s Center for Computer and Communications Se- 
curity, will allow students to network across programs, as well as with their faculty 
mentors and senior Government officials. This coordinated symposium in which the 
students take center-stage is an example of the success that federal workforce devel- 
opment programs in cyber security are enjoying. 

NSF is sponsoring a conference focused on cyber security education to be held on 
June 26-28, 2003. The third annual World Conference on Information Security Edu- 
cation (WISE3) will be held at the Naval Post Graduate School. The conference 
brings together leaders in computer security education from around the globe. The 
theme for the conference is “Teaching the Role of Information Assurance in Critical 
Infrastructure Protection.” 

In conjunction with WISE3, the Workshop on Education in Computer Security 
(WECS) will be held in the three days prior (also at the Naval Postgraduate School). 
WECS is an opportunity for educators to learn about fundamentals and recent ad- 
vances in information assurance and computer security, and to improve their in- 
structional capabilities in these areas. This annual forum allows instructors to share 
best practices and is a significant achievement in building the capacity of the Na- 
tion’s cyber security education enterprise. 

Q5b. Two interagency groups were discussed at the hearing: the Infosec Research 
Council (IRC) and the High Confidence Software and Systems group within the 
Networking and Information Technology Research and Development Inter- 
agency Working Group. How are these two groups related ? 

A5b. The Infosec Research Council (IRC) is an effective knowledge sharing body. 
Though it has no formal charter, the group has served as an important technical 
coordinating organization. Agency representatives use this as a forum to discuss se- 
curity implementations and development activities that they are pursuing, which 
may have synergies with other agencies. This kind of informal coordination leads 
to joint-funded projects and helps to avoid duplication of effort in security develop- 
ment and implementation programs. 

The High Confidence Software & Systems (HCSS) Program Component Area 
(PCA) of the NITRD-IWG concentrates on Research and Development of critical 
technologies that are needed to enable computer systems to achieve high levels of 
availability, reliability, safety, security, survivability, protection and restorability of 
information services. The members of this subgroup take a long-term view. Inte- 
grating the high-confidence attributes that are essential to secure software and sys- 
tems requires formal scientific design principles, large-scale testing and new diag- 
nostic and forensic tools. The HCSS informs development of the Administration’s 
budget in this PCA. 

Though the two groups have a different mandates, NSF staff are active in both 
and are working to find synergies along the path from research to implementation. 

Q5c. Do the groups divide up tasks among various agencies ? Do they monitor 
progress in cyber security research and development at the agencies? 

A5c. Interagency collaboration is well established in the area of cyber security. Pro- 
gram Officers involved in these interagency working groups share programmatic in- 
formation and cooperate in jointly funded projects. 

In addition to the committees that regularly meet to exchange information and 
coordinate efforts discussed above, the federal cyber security enterprise sponsors 
workshops and meetings with the research and education community. One example 
of the cooperative effort in place is the NSF PI meeting to be held in August 2003. 
This meeting, held in cooperation with the Department of Homeland Security (DHS) 
and the National Institute of Standards and Technology (NIST), will be open to all 
federal personnel with an interest in cyber security. This kind of interagency infor- 
mation sharing is common and ensures that Program Officers are cognizant of the 
full federal portfolio of cyber security activity. It allows them to monitor progress 
made by other federal agencies and leverage it to their specific needs. 

Q5d. You testified that the High Confidence Software and Systems group is working 
to define the federal portfolio of cyber security research and development and. 
will identify gaps. When will that effort be complete? What follow-up actions 
will NSF and the other agencies in the group take? 

A5d. The HCSS group, which is co-chaired by an NSF Program Officer, is approach- 
ing cyber security in the federal portfolio as an ongoing program. This work has al- 
ready begun, and though the work will never be complete (cyber security will be a 
dynamic, changing research subject for the foreseeable future) that organization will 



80 


have a consolidated portfolio statement that includes new programs to fill gaps in 
the current portfolio by the end of the fiscal year. 

The agenda will be organized around three interdependent topic areas: near-term 
reduced vulnerability, next-generation embedded security, and interoperable migra- 
tion strategies. NSF will seek to increase funding, basing our priorities on the port- 
folio items that the group identifies. NSF will then look for opportunities to share 
funding with the other agencies involved in HCSS, CUP, and IRC. 
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Answers to Post-Hearing Questions 

Responses by Arden L. Bement, Jr., Director, National Institute of Standards and 
Technology, Technology Administration, U.S. Department of Commerce 

Questions submitted by Chairman Sherwood Boehlert 

Ql. The National Institute of Standards and Technology (NIST) has not yet begun 
the grants to institutions of higher education that are partnering with companies 
on cyber security research and. development or the re-training fellowships to in- 
crease the cyber security workforce, both of which are authorized by the Cyber 
Security Research and Development Act. How much funding would NIST need 
to implement these programs ? Will NIST request these funds for fiscal year 
2005? 

Al. NIST has provided twelve cyber security research grants in the past two years: 
one to the Critical Infrastructure Protection Project; nine to various recipients under 
the NIST 2001 Critical Infrastructure Protection Grants Program; and two to the 
Institute for Information Infrastructure Protection (I3P) at Dartmouth College’s In- 
stitute for Security and Technology Studies, as described below. Note that, in addi- 
tion, related awards have been made under the NIST Advanced Technology Pro- 
gram and Small Business Innovative Research program. 

Critical Infrastructure Protection Project (CIP Project) 

The CIP Project is a joint effort of George Mason University and James Madison 
University to develop a nationally recognized program that fully integrates the dis- 
ciplines of law, policy, and technology for enhancing the security of cyber networks 
and supporting the Nation’s critical infrastructures. The consideration of all three 
disciplines — law, policy, and technology — is what makes the CIP Project unique. The 
CEP Project is funded by a NIST FY 2002 grant of $6.5 million. We expect to pro- 
vide another $6.5 million in FY03 to fund this activity. 

The CIP Project’s research uniquely and innovatively aligns scholarly research 
with national goals and objectives. Current projects include the following: 

Economic Incentives for Cyber Security: Working closely with Nobel Laureate 
Vernon Smith, the CEP Project is developing software to conduct replicable human 
use experiments to study how individuals create markets to share risk through self- 
insuring cyber networks, secondary insurance markets, contracting, and standards 
development. There are no similar products available for our nation’s critical infra- 
structure owners. 

Securing the Internet Infrastructure: The CIP Project is developing a comprehen- 
sive “map” of our nation’s telecommunications infrastructure and examining how 
connectivity and performance are affected by removal of critical cities (nodes) result- 
ing from physical attacks on key infrastructure facilities. Presently, critical infra- 
structures owners do not have access to such a map for security planning or disaster 
mitigation. 

Cyber Attacker Digital Fingerprinting: The CIP Project is developing methods to 
identify cyber attackers based on characteristics discovered during and after their 
attacks using data mining tools and techniques. Additional research will examine 
the complex intellectual property and privacy implications of this developing tech- 
nology. 

Network Security Risk Assessment Model (NSRAM): The CIP Project is creating 
a tool (the NSRAMT) that will model, detect, and assess network vulnerabilities to 
facilitate enhanced risk quantification, intrusion detection, and network security. 
The NSRAMT improves upon existing tools by incorporating the time dimension 
into the assessment of cyber vulnerabilities. 

NIST Critical Infrastructure Protection Grants Program 

In September 2001, NIST awarded $5M to nine grant recipients under the FY 
2001 Critical Infrastructure Protection Grants Program (CIPGP) to improve the 
robustness, resilience, and security information in all the critical infrastructures. 
Under the competitive grant application process, we received 133 proposals request- 
ing roughly $73M from applicants in both industry and academia. We selected pro- 
posals in intrusion detection, telecommunications, wireless security, electric power 
infrastructure, and compiler security. 

Funded research addresses a variety of topics to include tools and methods for 
analyzing security and detecting attacks due to vulnerabilities introduced by merg- 
ing of data networks (i.e., the Internet) and voice networks (i.e., the public switched 
telephone network). Other topics addressed are attack detection for wireless and 
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converged networks, security controls for protecting the North American power grid, 
and methods for evaluating intrusion detection systems. 

While results are still preliminary from the Grants program and some projects 
will not be completed due to a discontinuation of program funding, important devel- 
opments were made in wireless security, converged data/IP networks, and electric 
power infrastructure security. Additional information is available via http:// 
csrc.nist.gov/grants/index.html 

Institute for Information Infrastructure Protection (I3P) 

The Institute for Information Infrastructure Protection (I3P) at Dartmouth Col- 
lege’s Institute for Security and Technology Studies is a consortium of twenty-three 
academic and not-for-profit research organizations focused on cyber security and in- 
formation infrastructure protection research and development (R&D). The I3P helps 
protect the information infrastructure of the United States by developing a com- 
prehensive, prioritized R&D Agenda for cyber security and promoting collaboration 
and information sharing among academia, industry, and government. NIST partici- 
pated in providing input to the I3P’s Cyber Security Research and Development 
Agenda (January 2003) that identified the following as priority research areas: 

• Enterprise Security Management; 

• Trust Among Distributed Autonomous Parties; 

• Discovery and Analysis of Security Properties and Vulnerabilities; 

• Secure System and Network Response and Recovery; 

• Traceback, Identification, and Forensics; 

• Wireless Security; 

• Metrics and Models; and 

• Law, Policy, and Economic Issues. 

Discussion of the I3P’s research methodology and details on each of these topics 
is available in the I3P’s R&D Agenda at http://www.thei3p.org/documents/2003 
Cyber Security RD Agenda.pdf 

The activities of the I3P are supported by NIST grants of $3 million in FY 2001 
and $3 million in FY 2002. 

While these activities are not specifically identified in the Cyber Security Research 
and Development Act, they demonstrate NIST’s commitment to cyber security re- 
search. NIST will do its best to fulfill the specific requirements of the Cyber Security 
Research and Development Act of 2002 within present resources and through future 
budget cycles. 

Q2. At the hearing, you described the importance of standards for information secu- 
rity. What are some examples of these standards ? How will NIST and the De- 
partment of Homeland Security (DHS) be working together on such standards? 

Will NIST and DHS be working together on communications for first respond- 
ers? 

A2. Examples of standards that are important for information security include cryp- 
tographic-based standards used for encryption (e.g., Advanced Encryption Standard) 
and for digital signatures. Although not formal standards, other security specifica- 
tions are also important, such as recommendations for security settings for specific 
products and for security features for procured information technology products. 

When appropriate, NIST and DHS will be working together on these standards 
and other cyber security standards and specifications through collaborative research 
and planning, formal exchange of personal, sharing of information, and joint private 
sector outreach. All of these activities will be facilitated by the recently signed 
Memorandum of Understanding between DHS and the Technology Administration 
(TA) of the Department of Commerce. NIST and DHS will also be working together 
on cyber security standards and biometrics through the American National Stand- 
ards Institute — Homeland Security Standards Panel (ANSI-HSSP). The Chief of 
NIST’s Standards Services Division co-chairs the ANSI-HSSP. 

NIST will work with DHS to ensure that our work is complementary, while main- 
taining our necessary independence. Of course, DHS, like all other federal agencies, 
can take advantage of NIST cyber security guidelines and standards to protect its 
sensitive information and systems. Additionally, like other federal organizations, 
NIST will invite DHS to comment and review NIST’s draft security standards and 
guidelines. Our collaboration is furthered by having DHS membership on our Infor- 
mation Security and Privacy Advisory Board. 

With regard to first responders communications, NIST and the Department of 
Homeland Security have already begun to coordinate efforts aimed at improving the 
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communications capabilities of first responders. NIST’s Office of Law Enforcement 
Standards, in partnership with DHS’ Science and Technology Directorate and the 
National Institute of Justice, will be hosting a Summit on Interoperable Commu- 
nications for Public Safety at the end of June. The goal of the Summit will be to 
gather all of the federal and national programs together that are in some way ad- 
dressing public safety communications and provide an understanding on how the 
various programs inter-relate, thus facilitating improved information sharing, co- 
ordination, and focus in this important area. In addition, NIST has been, and will 
continue to work closely with DHS’ SAFECOM program, to provide scientific, engi- 
neering, and standards expertise to the public safety community. 

Q3. The Cyber Security Research and Development Act emphasizes the importance 
of workforce development, and the Committee believes that it is important to 
train skilled professionals to execute information technology security in the pri- 
vate sector and at government agencies, as well as scientists and engineers to 
perform cyber security research and development. What do you see as particular 
workforce needs in cyber security ? What actions is your agency taking or plan- 
ning to take to provide education and training in the cyber security areal 

A3. Workforce needs in cyber security include skilled researchers in the areas of 
system vulnerabilities and in security technology, metrology, and testing. A larger 
and more-skilled workforce in the area of systems operations, specifically experts 
that can use today’s tools and techniques to better secure existing critical systems, 
is also needed. The range of skills required is discussed in NIST Special Publication 
800-16. (See http://csrc.nist.gov/publications/nistpubs/index.html) NIST has a role in 
providing guidance on training; a draft NIST guideline is currently out for public 
review. We work with universities (contributor/evaluator for the NSA Centers of Ex- 
cellence program), with industry certification groups, such as International Informa- 
tion Systems Security Certification Consortia, CompTIA, and SANS, and with the 
Federal Information Systems Security Educators Association to develop training 
guidelines. 

NIST provides education and training by hosting various security workshops and 
conferences in the area of cyber security and related fields. For example, we hosted 
a workshop on advanced public key infrastructure research in April. We are also 
hosting a workshop on IT security and capital planning in June. 

Q4. How does NIST work with other agencies that have cyber security research and 
development programs ? 

a. Do you coordinate overall federal goals with the other agencies, and if so, can 
you describe some of the technical milestones or goals in workforce develop- 
ment? 

b. Two interagency groups were discussed at the hearing: the Infosec Research 
Council (IRC) and the High Confidence Software and Systems group within 
the Networking and Information Technology Research and Development Inter- 
agency Working Group. How are these two groups related ? Does NIST partici- 
pate in both groups? 

c. Do the groups divide up tasks among various agencies? Do they monitor 
progress in cyber security research and development at the agencies? 

A4. NIST works with DARPA, NSF, OSTP, OMB, NSA, and a range of other federal 
and private sector organizations involved in cyber security research. In the specific 
area of workforce development, NIST participates in the Service for Scholarship pro- 
gram by hiring students and interns. We assist NSA in reviewing their annual ap- 
plications for their centers of excellence designation. NIST also has been assigned 
new responsibilities under the Cyber Security R&D Act for awarding cyber security 
fellowships. In addition, our current CIO recently served a two-year tour as Director 
of the National Coordination Office (NCO) for Information Technology Research and 
Development, reporting to OSTP. The NCO’s work involves twelve federal agencies. 
The High Confidence Software and Systems (HCSS) Working Group is the most fo- 
cused on cyber security issues. 

NIST participates in both the Infosec Research Council (IRC) and the High Con- 
fidence Software and Systems group within the Networking and Information Tech- 
nology Research and Development Interagency Working Group. The IRC serves to 
share research priorities and activities, specifically in the area of cyber security. As 
its charter describes: 

“The INFOSEC Research Council (IRC) consists of U.S. Government sponsors 
of information security research from the Department of Defense, the Intel- 
ligence Community, and Federal Civil Agencies. The IRC provides its member- 
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ship with a community-wide forum to discuss critical information security 
issues, convey the research needs of their respective communities, and describe 
current research initiatives and proposed courses of action for future research 
investments. By participating in the IRC, sponsors obtain and share valuable 
information that will help focus their information security research programs, 
identify high-leverage, high-value research targets of opportunity, and minimize 
duplication of research. The IRC will be a collective effort for the mutual benefit 
and collaboration of the participating organizations and is intended to promote 
intelligent information security research investments. While it is understood 
that each participating agency will have its own research priorities, it is antici- 
pated that the IRC will be able to identify high priority areas of research to 
develop a common, shared appreciation of the important and challenging infor- 
mation security problems of the day.” (www.infosec-research.org) 

The NCO’s HCSS Working Group is more broadly focused than just cyber secu- 
rity: (www.itrd.gov) 

The National Coordination Office (NCO) for Information Technology Research 
and Development (IT R&D) coordinates planning, budget, and assessment ac- 
tivities for the Federal Networking and IT R&D Program. This 12-agency col- 
laborative effort pioneers fundamental advances in the critical technologies of 
the Nation’s information infrastructure, including high performance computing, 
large-scale networking, and high assurance software and systems design. 

The NCO reports to the White House Office of Science and Technology Policy and 
the National Science and Technology Council (NSTC). The NCO works with the par- 
ticipating federal agencies through the NSTC’s Interagency Working Group (IWG) on 
IT R&D and six IWG Coordinating Groups to prepare and implement the $2 billion 
Federal IT R&D budget crosscut. Since no one federal agency cites IT R&D as its 
primary mission, it is vital for agencies to coordinate, collaborate, and cooperate to 
help increase the overall effectiveness and productivity of Federal IT R&D. The 
major research emphases of the IT R&D effort are called Program Component Areas 
(PC As). 

The High Confidence Software and Systems (HCSS) Program Component Area 
(PCA) concentrates on Research and Development into critical technologies that are 
needed to enable computer systems to achieve high levels of availability, reliability, 
safety, security, survivability, protection and restorability of information services. 

Q5. The Cyber Security Research and Development Act makes the National Science 
Foundation (NSF) the lead agency for cyber security research and development, 
as Dr. Colwell testified at the hearing. In what ways are you interacting with 
NSF as it acts as the lead agency in this area? Does NSF review your budget 
proposal for programs in this area? Does NSF lead the agencies in a group effort 
to determine overall cyber security research and development priorities, and if 
so, how? 

A5. We meet regularly with NSF personnel via the IRC, as described above. NSF 
does not review NIST budget proposals. In addition, as discussed earlier, NIST’s 
current CIO recently served a two-year tour as Director of the National Coordina- 
tion Office (NCO) for Information Technology Research and Development, reporting 
to OSTP. The NCO’s work involves twelve federal agencies, including NSF. 
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Information Security and Privacy Advisory Board 


Established by the Computer Security Act of 1987 
[ Amended by the Federal information Security Management Act of 2002] 


April 8, 2003 


The Honorable Mitchell E. Daniels, Jr. 

Director 

Office of Management and Budget 
17 th Street and Pennsylvania Avenue, N.W. 

Washington, D.C. 20503 

Dear Mr. Daniels: 

The Information Security and Privacy Advisory Board is a Federal advisory committee established by the 
Computer Security Act of 1 987, as amended. The law directs the Board to identify emerging managerial, 
technical, administrative, and physical safeguard issues relative to information security and privacy in 
government systems. The Board is then to advise, among others, the Director, Office of Management and 
Budget and the Secretary of Commerce and to report its findings to the Secretary of Commerce, the Office 
of Management and Budget, the Director of the National Security Agency, and the appropriate committees 
of the Congress. 

At the Board’s March meeting, we reviewed and discussed the National Strategy to Secure Cyberspace, 
issued in February 2003. Our review was preceded by a discussion with David Howe of the President’s 
Critical Infrastructure Protection Board staff at the Board’s December 2002 meeting. Mr. Howe briefed us 
on the process leading to the development of the final Strategy and invited us to submit Board comments. 
We submitted our comments on December 20, 2002, and are providing you with a copy. 

The Board understands that it is the government’s intent to treat the Strategy as a living document, that 
additional development of actions and recommendations will follow, and that the Strategy will evolve. 
The Board believes the following considerations are important to ensure that the Strategy’s objectives are 
met as government moves forward to implement the document’s actions and recommendations. 

Implementation of the Strategy can benefit from existing government programs and capabilities. A 
number of important initiatives are already underway at the Department of Commerce’s National 
Institute of Standards and Technology (NIST) that will provide significant and near-term support for 
key action and recommendations. For example, with respect to Action/Recommendations 3- 1 and 
3-3, NIST is already conducting security awareness seminars for the small business community. 


Secretariat: National Institute of Standards and Technology 
1 00 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930 
Telephone: 301/975-3357 *** Fax: 301/926-2733 
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Additionally, work underway at NIST, primarily in the Information Technology Laboratory, can 
directly support the Strategy’s actions and recommendations. For example, these include 
commercial product security evaluation and validation, computer security and biometric standards 
development and testing, and programs to improve software quality. Increased direct funding for 
NIST programs should be given high priority. 

With respect to Action/Recommendation 4-4, the Board questions the value of reviewing lesson s- 
leamed from implementation of the Defense Department’s July 2002 policy requiring the acquisition 
of evaluated products. This policy has not been in place long enough to yield significant results. 
The Board also recommends that the broader review of the National Information Assurance 
Partnership (NIAP) include private sector participation in the examination. 

The Strategy includes many recommendations for actions by the private sector to help secure cyberspace. 
In most instances the Strategy does not describe what Federal agencies can or should do to help advance 
such action through mechanisms routinely available to government. These include direct funding, 
indirect incentives such as creation of joint public-private forums and projects, or the use of existing 
regulations in support of cyber security. 

As observed in the Strategy, a principal mechanism government has to compel action is its own 
purchasing power. It would be useful to require agencies to report periodically to OMB what they 
have done or are doing in their own procurement processes to purchase products and services in a 
fashion that promotes achieving the goals prescribed by the Strategy. Such guidance might be built 
into OMB’s reporting process under the Federal Information Security Management Act (FISMA). 

Regulatory authority already available to many agencies (such as FAA, NRC, EPA, DOL, FTC, SEC, 
FCC, Department of Health and Human Services, Department of the Treasury, and others) can be used to 
accelerate implementation of specific recommendations and actions made in the Strategy where 
appropriate. As the Strategy is implemented, it would be useful to ask agencies to report periodically to 
OMB and DHS what they have done or are doing with their regulatory authority to meet the goals 
prescribed by the Strategy. Agencies should also be asked to report whether changes to their regulatory 
authority are warranted to enhance their capabilities in this area. 

As examples, compliance with the requirements of the Sarbanes-Oxley Act of 2002 could include the 
implementation of an effective information security program to help ensure the safeguarding of corporate 
information assets and the integrity of financial reporting. There are already precedents for this, as 
Department of Health and Human Services, Federal Energy Regulatory Commission, and the Nuclear 
Regulatory Commission, among others have sought NIST’s advice with respect to information security 
implementations in support of regulations. 

The Strategy raises larger issues arising from the increased policy and operational intersection 
between public and private sector critical infrastructure protection organizations and systems. 
Many of the Strategy’s actions and recommendations point to a blurring of roles and responsibilities 
between what had been traditionally seen as national security and non-national security systems. 
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Recognizing the intent of the Computer Security Act of 1987, as reaffirmed by FISMA, this is an 
issue that must be addressed more directly. Additionally, the Strategy minimally acknowledges the 
critical issue of information and citizen privacy and fails to provide specific actions or 
recommendations. The Board believes this must be addressed as well. 

We thank you for your consideration. 

Sincerely, 

S'. 

Franklin S. Reeder 
Chairman 

Enclosure 
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July 8, 2003 

Current Activities of the National Institute of Standards and Technology 
in Cyber Security and Related Programs 

1. Cyber Security Research Grants 

NIST has provided twelve cyber security research grants in the past two years: 
one to the Critical Infrastructure Protection Project; nine under the NIST 2001 Crit- 
ical Infrastructure Protection Grants Program and two to the Institute for Informa- 
tion Infrastructure Protection (I3P) at Dartmouth College’s Institute for Security 
and Technology Studies. Each will be briefly described. Note that, in addition, re- 
lated awards have been made under the NIST Advanced Technology Program and 
Small Business Innovative Research program, but for the sake of brevity, they will 
not be included at this time. 

Critical Infrastructure Protection Project (CIP Project) 

The CIP Project is a joint effort of George Mason University and James Madison 
University to develop a nationally recognized program that fully integrates the dis- 
ciplines of law, policy, and technology for enhancing the security of cyber networks 
and economic processes supporting the Nation’s critical infrastructures. The consid- 
eration of all three disciplines — law, policy, and technology — is what makes the CIP 
Project unique. The CIP Project is funded by a NIST FY 2002 grant of $6.5 million. 
NIST expects to provide another $6.5 million in FY03 to fund this activity. 

The CIP Project’s research agenda serves as a unique and innovative approach 
to aligning scholarly research with national goals and objectives. Current projects 
include the following: 

Economic Incentives for Cyber Security: Working closely with Nobel Laureate 
Vernon Smith, the CIP Project is developing software to conduct replicable human 
use experiments to study how individuals create markets to share risk through self- 
insuring cyber networks, secondary insurance markets, contracting, and standards 
development. There are no similar products available for our nation’s critical infra- 
structure owners. 

Securing the Internet Infrastructure: The CIP Project is developing a comprehen- 
sive “map” of our nation’s telecommunications infrastructure and examining how 
connectivity and performance are affected by removal of critical cities (nodes) result- 
ing from physical attacks on key infrastructure facilities. Presently, critical infra- 
structures owners do not have access to such a map for security planning or disaster 
mitigation purposes. 

Cyber Attacker Digital Fingerprinting: The CIP Project is developing technological 
methods to identify cyber attackers based on characteristics discovered during and 
after their attacks using data mining tools and techniques. Additional research will 
examine the complex intellectual property and privacy implications of this devel- 
oping technology. 

Network Security Risk Assessment Model (NSRAM): The CIP Project is creating 
a tool (the NSRAMT) that will model, detect, and assess network vulnerabilities in 
order to facilitate enhanced risk quantification, intrusion detection, and network se- 
curity. The NSRAMT improves upon existing tools by incorporating the time dimen- 
sion into the assessment of cyber vulnerabilities. 

NIST Critical Infrastructure Protection Grants Program 

In September 2001, NIST awarded $5M to nine grant recipients under the FY 
2001 Critical Infrastructure Protection Grants Program (CIPGP) to improve the 
robustness, resilience, and security information in all the critical infrastructures. 
Under the competitive grant application process, NIST received 133 proposals re- 
questing roughly $73M from applicants in both industry and academia. Proposals 
selected were in intrusion detection, telecommunications, wireless security, electric 
power infrastructure, and compiler security. 

Funded research addresses a variety of topics to include tools and methods for 
analyzing security and detecting attacks due to vulnerabilities introduced by merg- 
ing of data networks (i.e., the Internet) and voice networks (i.e., the public switched 
telephone network). Other topics addressed are attack detection for wireless and 
converged networks, the development of security controls for protecting the North 
American power grid, and methods for evaluating intrusion detection systems. 

While results are still preliminary from the Grants program and some projects 
will not be completed due to a discontinuation of program funding, NIST will still 
produce important results especially in the wireless area, converged data/IP net- 
works and security of the electric power infrastructure. Additional information is 
available via http://csrc.nist.gov/grants/index.html 
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Institute for Information Infrastructure Protection (I3P) 

The Institute for Information Infrastructure Protection (I3P) at Dartmouth Col- 
lege’s Institute for Security and Technology Studies is a consortium of twenty-three 
academic and not-for-profit research organizations focused on cyber security and in- 
formation infrastructure protection research and development (R&D). The UP helps 
protect the information infrastructure of the United States by developing a com- 
prehensive, prioritized R&D Agenda for cyber security and promoting collaboration 
and information sharing among academia, industry, and government. NIST partici- 
pated in providing input to the I3P’s Cyber Security Research and Development 
Agenda (January 2003) that identified the following as priority research areas: 

• Enterprise Security Management; 

• Trust Among Distributed Autonomous Parties; 

• Discovery and Analysis of Security Properties and Vulnerabilities; 

• Secure System and Network Response and Recovery; 

• Traceback, Identification, and Forensics; 

• Wireless Security; 

• Metrics and Models; and 

• Law, Policy, and Economic Issues. 

A substantial discussion about the I3P’s research methodology and details on each 
of these topics is available in the I3P’s R&D Agenda at http://www.thei3p.org/docu- 
ments/2003 Cyber Security RD Agenda.pdf 

The activities of the I3P are supported by NIST grants of $3M in FY 2001 and 
a second $3M in FY 2002. NIST expects to provide a third $3M grant in FY 2003 
to I3P. 

2. National Research Council Study of Network Vulnerabilities 

As called for by CSRDA, NIST is also moving forward with steps to fund, in col- 
laboration with DARPA, a National Research Council study to review the 
vulnerabilities and inter-dependencies in NIST’s critical infrastructure networks 
and identify appropriate research needs and associated resource requirements. NRC 
colleagues have already identified a study director and are ready to initiate this 
study. 

3. Security of Supervisory Control and Data Acquisition Systems (SCADA) 

SCADA computerized systems play a key role in controlling industrial processes 
in the food, pharmaceutical, chemical, and oil and gas industries, and other critical 
sectors of the economy. These systems, typically designed as stand-alone systems, 
are now often networked and managed via the Internet. This means that they are 
now vulnerable to the same panoply of security vulnerabilities that confront all 
other Internet-connected systems. NIST’s work in this area is aimed at building 
more secure industrial control systems to protect against threats by terrorists, hack- 
ers, disgruntled employees or anyone else intent on these vitally important elements 
of the Nation’s infrastructure. 

For example, in the area of SCADA systems used in electrical power generation 
and distribution, legacy systems must be retrofitted with security hardware and 
software. NIST is working with EPRI, the electric power industry’s research arm, 
to identify precisely where weaknesses exist and to develop security requirements 
for the real-time systems that control the power grid and other critical industrial 
processes. 

In the area of automated building control systems, work is addressing the hard- 
ening of a host of complex systems that control lighting, ventilation, fire alarm and 
other critical systems. NIST is working with industry to develop security enhance- 
ments for building control systems and also with the General Services Administra- 
tion to implement security features in government buildings. 

4. Biometrics 

The United States visa issuance and border entry-exit systems are required to use 
biometrics to prevent unauthorized persons from entering the U.S. through nearly 
400 air, sea, and land ports of entry. Biometrics are automated methods of recog- 
nizing a person based on physical or behavioral characteristics. 

In response to mandates in the USA PATRIOT Act and the Enhanced Border Se- 
curity and Visa Entry Reform Act, NIST helped develop a report to Congress, sub- 
mitted jointly by the Departments of Justice and State and NIST, on February 4, 
2003, in which NIST recommended that at least two fingerprints and a face image 
be used as the required biometrics. This recommendation was made as a result of 
biometric tests that used hundreds of thousands of samples of real-world data ob- 
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tained from the State Department, the Immigration and Naturalization Service 
(INS), the Texas Department of Public Safety, and the Federal Bureau of Investiga- 
tion (FBI). 

NIST has also obtained a system that models the FBI’s Integrated Automated 
Fingerprint Identification System (IAFIS) and has tested this system. The results 
provide accuracy measurements of the FBI fingerprint matching system, which is 
also mandated in the PATRIOT Act. These measurements are crucial for deter- 
mining how to best perform background checks of foreign nationals applying for 
visas. 

NIST has also been working on standards development for biometrics to provide 
inter-operability among different biometric vendors. NIST developed and spear- 
headed the adoption of a standard for inter-operability and exchange of fingerprint 
and facial image information. This standard is mandatory for data exchange be- 
tween the FBI and state law enforcement organizations. Working through bio- 
metrics standards committees, NIST is developing image-based standards for face, 
finger, and iris that will lead to inter-operability. NIST is also submitting its bio- 
metric evaluation methodology as a testing standard to the International Committee 
for Information Technology Standards. Finally, NIST’s testing results are being 
used to formulate the U.S. position on biometrics with the International Civil Avia- 
tion Organization (ICAO), which establishes international passport standards. 

5. Forensics 

Law enforcement officials and cyber security experts need to sort through the 
reams of files on computers in a timely manner to find evidence of terrorist and 
other criminal activities and to find evidence of cyber security events. Moreover, 
once digital evidence is uncovered, it is in danger of not being accepted in the U.S. 
court system. In order to enable the investigation and the subsequent prosecution 
in court, computer forensics must be based on sound, scientific practices that are 
produced and validated by neutral third parties. 

In response to this need, NIST, working in partnership with the National Insti- 
tute of Justice, the FBI, the U.S. Secret Service, the U.S. Customs Service, the 
DOD, and many State and local agencies, has developed two computer forensics 
products: the National Software Reference Library (NSRL) and the Computer 
Forensics Tool Testing (CFTT) Program. These products are used daily to help solve 
thousands of cases, including terrorism investigations. 

Besides helping solve crimes, the products also help defend digital evidence that 
is introduced in court by prosecutors. The first high profile case to address this is 
the case of alleged terrorist Zacarias Moussaoui. As summarized by CNN, “The 
(prosecutor’s) highly technical report on the computers and e-mail search followed 
a request by court-appointed defense attorneys assisting Moussaoui that computer 
evidence be authenticated.” The “highly technical report,” filed by the Government, 
relies heavily on NIST and specifically references the CFTT project. 

Cyber security experts outside of law enforcement are also using these tools. The 
MIT computer security researchers who set out to prove that significant confidential 
information can be found on discarded computers used the NSRL as part of their 
process. They found over 5000 credit card numbers, medical records and a year of 
ATM transactions. See http://www.msnbc. com/news/859843. asp?cpl=l 

6. Network Security 

NIST’s efforts in Internet security research are focused on both near-term objec- 
tives of expediting significant improvements to the security and integrity of today’s 
Internet technologies, and longer-term objectives such as exploring the use of quan- 
tum information theory to develop ultra-secure networking technologies of the fu- 
ture. 

Our near-term research is directed at working with industry and other govern- 
ment agencies to improve the inter-operability, scalability and performance of new 
Internet security systems and to expedite the development of Internet infrastructure 
protection technologies. NIST staff is actively working with the Internet Engineer- 
ing Task Force (IETF) to design, develop, standardize and test new protocols that 
will make authentication, confidentiality and integrity services inherent capabilities 
of all networks based upon Internet technologies. NIST has taken leadership roles 
within the IETF in the specification of public key infrastructure, network layer secu- 
rity and key management technologies. Working shoulder to shoulder with industry, 
NIST is contributing technical specifications, modeling and analysis results, re- 
search prototypes and test and measurement tools to the IETF community to expe- 
dite the standardization of ubiquitous Internet security services and to foster the 
rapid development of commercial products. 
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Another area of focus for the near-term efforts is the research and development 
of technologies to protect the core infrastructure of Internet. NIST is working with 
the IETF and other government agencies to devise means to protect the control pro- 
tocols and infrastructure services that underlie the operation of today’s Internet. 
NIST’s research and standardization efforts in this area include: extensions to the 
Domain Name System (DNS) to add cryptographic authentication to this most basic 
Internet service, and the design and analysis of protection and restoration mecha- 
nisms to improve failure resilience of core switching and routing infrastructures. 
NIST’s future work in this area will focus on improving security and resilience of 
core Internet routing protocols. 

Looking further into the future, NIST sees the potential for new computational 
paradigms to threaten the mathematical underpinnings of today’s cryptographic sys- 
tems. In response, NIST is conducting research in the use of quantum information 
theory to devise ultra-secure network technologies that are not dependent upon to- 
day’s cryptographic techniques. NIST is collaborating with other government agen- 
cies in the design and evaluation of quantum information network technologies, 
ranging from physical devices capable of operating on single photons of a high speed 
optical link, to next generation quantum key distribution protocols capable of ex- 
ploiting these physical links to devise provably secure cryptographic techniques. 

7. Public Key Infrastructure (PKI) 

In the past NIST has done research on PKI, primarily on effective revocation 
strategies and strategies for building large heterogeneous PKIs; however, today ef- 
forts are primarily focused on devising effective assurance tests for PKI components 
and clients. Assurance testing is an important research topic because assurance 
tests that are repeatable and meaningful provide a means for vendors to improve 
the security quality of their products. NIST is attempting to develop specific pass/ 
fail tests and techniques for PKI assurance testing based on specific test require- 
ments, and thus streamlining PKI security testing as compared to ad hoc conven- 
tional security assurance evaluation testing that requires a great deal of product- 
specific design analysis. There has been some success with this in Certificate 
Issuing and Management Components (CIMC) protection profile, for testing certifi- 
cation authorities, which breaks new ground in several areas. Work is now extend- 
ing into client testing, which is more challenging and technically complex. 

NIST also hosts and cosponsors, along with Internet2, an annual PKI research 
conference. Recently, informal collaborations were begun with investigators at the 
Korean Information Security Agency (KISA). We are seeking to invent a secure au- 
thenticator for sensitive personal information in PKI certificates to enable the sub- 
ject to authenticate personal information if he or she chooses to divulge it. 

8. Quantum Information Systems and Quantum Cryptography 

NIST is working on a scalable quantum information network test-bed for research 
in quantum computing and cryptography. While current cryptosystems are ex- 
tremely hard to break, quantum cryptography has the potential to provide truly un- 
breakable codes. A quantum information network is built to exploit the laws of 
quantum mechanics. Present day engineering of computational systems (e.g., clock 
speed for a processor, maximum size of memory) and implementation of algorithms 
(including cryptographic algorithms) are limited by the laws of classical mechanics. 
The results provided by quantum mechanics point out the potential for capabilities 
for computing and communication beyond that theoretically possible with the known 
laws of classical mechanics. This is the reason that quantum computation and quan- 
tum communication have become prime areas of research for applications for quan- 
tum mechanics. 

NIST seeks to develop an extensible quantum information testbed and the scal- 
able component technology essential to the practical realization of a quantum com- 
munication network. Quantum cryptographic systems are the first products of quan- 
tum computing research to advance to the commercial stage, with two products cur- 
rently on the market. This market is expected to continue to grow, producing prod- 
ucts for both government and commercial use. The testbed will demonstrate quan- 
tum communication and quantum cryptographic key distribution with high data 
rate. This testbed, once developed, will provide a measurement and standards infra- 
structure that will be open to the scientific community and will enable wide-ranging 
experiments on both the physical- and network-layer aspects of a quantum commu- 
nication system. The infrastructure will be used to provide calibration, testing, and 
development facilities. 

Quantum cryptography offers several advantages over traditional methods, includ- 
ing stronger security, eavesdropping detection, and the ability to generate and dis- 
tribute large amounts of keying material more efficiently than conventional key dis- 
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tribution infrastructures. NIST has developed a hybrid authentication protocol for 
quantum networks, combining conventional and quantum methods. Authentication 
is critical for commercially viable quantum key distribution. In addition, this re- 
search has led to the discovery of serious vulnerabilities in many proposed quantum 
cryptographic protocols. Lessons learned from this research will assist quantum pro- 
tocol developers in improving security, and provide the basis for incorporating quan- 
tum cryptographic module testing into the NIST Cryptographic Module Validation 
Program for the FIPS 140-2 standard. 

9. Wireless Mobile Device Security 

With the trend toward a highly mobile workforce, the acquisition of handheld de- 
vices such as Personal Digital Assistants (PDAs) is growing at an ever-increasing 
rate. These devices are relatively inexpensive productivity tools and are quickly be- 
coming a necessity in today’s business environment. Most handheld devices can be 
configured to send and receive electronic mail and browse the Internet. However, 
as handheld devices increasingly retain sensitive information or provide the means 
to obtain such information wirelessly, they must be protected. 

NIST’s efforts to date have focused on improving several aspects of security: user 
authentication, policy enforcement, and wireless communications. For user authen- 
tication NIST has developed a framework for multi-mode authentication that allows 
more than one authentication mechanism to contribute to the verification of a user’s 
identity. For example, a biometric, such as voice input, may be required in combina- 
tion with a security token, such as a smart card, before a user is permitted to access 
the contents of a device. In addition, NIST has invented a visual means of authen- 
tication that not only is easier than passwords for users to authenticate, but also 
significantly more powerful, and has contributed updates to an open source code ini- 
tiative that allow smart cards to be used on certain handheld devices. 

For policy enforcement, NIST has developed a system that requires users to 
present a policy certificate to a device, as a means of moving from a restricted proc- 
essing environment to one in which the privileges accorded a user via the policy cer- 
tificate are enabled. Policy rules govern such things as application usage, file access, 
and communications interfaces, including wireless communications. This mechanism 
allows organization policy controls to be asserted on handheld devices, which typi- 
cally are at the fringes of an organization’s influence, and was designed to tie in 
with emerging Public Key Infrastructures. 

For wireless communications, NIST has developed a highly-regarded publication 
on Wireless Network Security, aimed at reducing the risks associated with 802.11 
wireless local area networks and Bluetooth wireless networks that are commonly 
used with handheld devices. In the six months since its publication, the guideline 
has been downloaded over 120,000 times by users in over 50 countries. 

Additionally, NIST is actively supporting the standards community in moving to- 
wards stronger, more robust security by integrating stronger, more secure cryp- 
tographic algorithms and their associated modes of operation into the next genera- 
tion of the relevant standards. Two of the NIST 2001 Critical Information Protection 
Grants were awarded in the wireless security area to the University of Pittsburgh 
and the University of Maryland. 

The University of Pittsburgh’s research is studying interaction between the sur- 
vivability and security of wireless information architectures. As part of this re- 
search, techniques for evaluating the survivability of wireless networks were devel- 
oped, secure wireless architectures were designed, and strategies for meeting surviv- 
ability and security requirements were examined. The impact of security services on 
performance, energy consumption, speed, and bandwidth were also simulated. The 
researchers demonstrated the interaction of survivability and security and proposed 
methods for measuring and optimizing both of these requirements. These results are 
expected to ultimately be applied to the design of critical wireless infrastructures. 

The University of Maryland research is focused on a secure wireless testbed. 
There are several goals of the Secure Wireless LAN/MAN Infrastructure testbed. 
First, the testbed is testing the secure inter-operation between a multitude of dif- 
ferent wireless equipment — both commercial and developmental. Second, the testbed 
supports research designed to address integration issues arising from the new draft 
security architecture for IEEE 802.11 (Enhanced Security Network), as well as secu- 
rity and management issues surrounding scalability, naming, and fraud control in 
wireless metropolitan networks. Finally, the testbed serves as a wireless security 
training apparatus for students, faculty, and other collaborators 

10. Access Control 

One of the basic tenets of IT security is controlling access to vital IT resources. 
NIST has been actively researching for many years more cost-effective and efficient 
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ways to administer access to critical system resources. In effect, NIST is answering 
the question “who is allowed to do what?” Access control mechanisms can take on 
many forms. Recognizing the inadequacies of traditional, labor-intensive, and error- 
prone approaches to controlling user access to sensitive information and the security 
benefits that could be gained via breakthroughs in access control technology, a NIST 
research team created a new approach to controlling user access, called Role-Based 
Access Control (RBAC). What is most striking about RBAC is its rapid evolution 
from a theoretical model to commercial implementation and deployment. An inde- 
pendently conducted NIST-sponsored economic impact study, conducted by RTI, esti- 
mated that the team’s work will soon be used by some 30 millions users for access 
to sensitive information controlled using this technology. RBAC’s productivity ad- 
vantages alone are often sufficient to justify its deployment. An outside study by 
RTI estimated that RBAC technology saved U.S. industry $671 million, and that 
NIST was responsible for 44 percent of the savings giving the taxpayer a 10,900 per- 
cent return on investment. 

11. Security Guidelines and Standards 

NIST continues to develop standards and guidelines in support of its federal re- 
sponsibilities. Many of these are also used, on a voluntary basis, by organizations 
in the private sector. Hundreds of thousands of copies of NIST guidelines have been 
downloaded from the NIST Computer Security Resource Center. For example, over 
400,000 copies of NIST’s Contingency Planning Guide for Information Technology 
have been downloaded since its publication less than a year ago. In 2002-2003, 
NIST published the following security guidelines: 

• Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Nam- 
ing Scheme; 

• Federal S/MIME V3 Client Profile; 

• Wireless Network Security: 802.11, Bluetooth, and Handheld Devices; 

• Security Guide for Interconnecting Information Technology Systems; 

• Security for Telecommuting and Broadband Communications; 

• Guidelines on Electronic Mail Security; 

• Guidelines on Securing Public Web Servers; 

• Systems Administration Guidance for Windows 2000 Professional; 

• Guidelines on Firewalls and Firewall Policy; 

• Procedures for Handling Security Patches; 

• Contingency Planning Guide for Information Technology Systems; and 

• Risk Management Guide for Information Technology Systems. 

See http://csrc.nist.gov/publications/nistpubs/index.html 

NIST has also published the following draft guidelines for review by federal de- 
partments and agencies as well as other interested organizations and individuals 
concerning: 

• Guidelines for the Security Certification and Accreditation of Federal Infor- 
mation Technology Systems; 

• Building an Information Technology Security Awareness and Training Pro- 
gram; 

• Recommendation on Key Establishment Schemes; 

• Recommendation on Key Management; 

• Security Metrics Guide for Information Technology Systems; 

• Recommendation for Block Cipher Modes of Operation: the RMAC Authen- 
tication Mode; 

• Guide to Selecting IT Security Products; 

• Guide to IT Security Services; 

• Security Considerations in Federal Information Technology Procurements; 
and 

• Guideline on Network Security Testing. 

See http://csrc.nist.gov/publications/drafts.html 

In addition, numerous NIST Information Technology Laboratory (ITL) Bulletins 
have been issued during the last year to provide guidance to agencies and others 
on a broad list of topics. 
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See http://www.itl.nist.gov/lab/bulletns/cslbulll.htm 

NIST has also completed the Keyed-Hash Message Authentication Code as Fed- 
eral Information Processing Standard (FIPS) 198 and provided three new secure 
hashing codes in the enhanced FIPS 180-2. These new enhanced secure hashing 
codes are used to help users create more secure digital signatures. While on the sub- 
ject of cryptography, late in 2001, Secretary Evans approved the Advanced 
Encryption Standard (or AES) as a federal security standard and it is being actively 
adopted by voluntary standards bodies and implemented by vendors. In fact, over 
70 commercial implementations of the AES have already been validated though 
NIST’s Cryptographic Module Validation Program. See http://csrc.nist.gov/publica- 
tions/fips/index.html and http://csrc.nist.gov/cryptvaPaes/aesval.html 

12. Reducing Vulnerabilities Through Security Testing 

Both research and security testing can help reduce vulnerabilities in the commer- 
cial IT products used to support the Nation’s critical infrastructures. 

Research on identifying and correcting information technology vulnerabilities is 
urgently needed. When new technologies are identified that could potentially influ- 
ence customers’ security practices, NIST researches the technologies, their potential 
vulnerabilities and also work to find ways to apply new technologies in a secure 
manner. The solutions that NIST develops are made available to both public and 
private users. Some examples are methods for authorization management and policy 
management, ways to compensate for deficiencies in current wireless security stand- 
ards, and ways to implement cryptography. Research helps us find more cost-effec- 
tive ways to implement and address security requirements. 

Security testing complements security standards by providing consumers with 
confidence that security standards and specifications are correctly implemented in 
the products that they buy. Implementing cryptography correctly and securely can 
be complicated. However, unless it is correctly implemented, it may provide no pro- 
tection. Therefore, in conjunction with the Government of Canada’s Communication 
Security Establishment, NIST operates the Cryptographic Module Validation Pro- 
gram, which helps ensure correct and secure implementation of NIST’s cryp- 
tographic standards. The Cryptographic Module Validation Program has now vali- 
dated over 500 modules with another 100 or more expected within the next year. 
This successful program utilizes private-sector accredited laboratories to conduct se- 
curity conformance testing of cryptographic modules against the cryptographic fed- 
eral standards NIST develops and maintains. The testing by the laboratories and 
NIST’s work with Canada involves access to unclassified public algorithms and test 
suites, and not to any Federal Government operational cryptographic keys or classi- 
fied information. Besides many organizations in the financial sector, two major U.S. 
corporations, Boeing and VISA, see such value to the benefits of the testing program 
that they now require CMVP-validated cryptographic modules to protect their sen- 
sitive information. The Government of the United Kingdom has also officially recog- 
nized CMVP-validated modules for use in their agencies. 

To give a sense of the quality improvement that the program achieves, consider 
that statistics from NIST’s testing laboratories show that 48 percent of the modules 
brought in for voluntary testing had security flaws that were corrected during test- 
ing. In other words, without NIST’s program, the Federal Government would have 
had only a 50/50 chance of buying correctly implemented cryptography! 

In addition, in recent years NIST has worked to develop the “Common Criteria” 
(ISO/IEC 15408), which can be used to specify security requirements. These require- 
ments are then used by private-sector laboratories, accredited by NIST, for the vol- 
untary evaluation of commercial products needed for the protection of government 
systems and networks. This work is undertaken in cooperation with the Defense De- 
partment’s National Security Agency in our National Information Assurance Part- 
nership (NIAP). You may be aware that the National Strategy to Secure Cyberspace 
calls for a review of the NIAP. Staff discussions have begun with NSA to identify 
ways that might improve the process, through research, process changes, and to un- 
derstand the resources needed for NIAP to fully succeed. 

13. Security Awareness and Outreach 

Timely, relevant, and easily accessible information to raise awareness about the 
risks, vulnerabilities and requirements for protection of information systems is ur- 
gently needed. This is particularly true for new and rapidly emerging technologies, 
which are being delivered with such alacrity by industry. NIST also hosts and spon- 
sors information sharing among security educators, the Federal Computer Security 
Program Managers’ Forum, and industry. NIST actively supports information shar- 
ing through conferences, workshops, web pages, publications, and bulletins. Finally, 
NIST also has a guideline available to assist agencies with their training activities 
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and is an active supporter of the Federal Information Systems Security Educators’ 
Association. 

NIST sponsors the web-based Computer Security Resource Center (CSRC) to pro- 
vide a wide-range of security materials and information to the community and link 
to the Federal Computer Incident Response Center at DHS and other emergency re- 
sponse centers. CSRC now has over 20 million “hits” annually. On CSRC, one of the 
most popular resources is the NIST-developed web-based tool known as ICAT that 
allows users to identify (and then fix) known vulnerabilities for their specific soft- 
ware. ICAT provides links to vendor sites at which the users can obtain patches to 
fix these vulnerabilities. This is important because many computer break-ins exploit 
well known vulnerabilities. Over 5500 vulnerabilities are now catalogued in this 
NIST on-line database that receives over 200,000 hits per month. See http:// 
icat.nist.gov/icat.cfm 

14. Security Assessment Guideline and Automated Security Self-Evaluation 
Tool (ASSET) 

The Chief Information Officers Council and NIST developed a security assessment 
Framework to assist agencies with a very high level review of their security status. 
The Framework established the groundwork for standardizing on five levels of secu- 
rity and defined criteria agencies could use to determine if the levels were ade- 
quately implemented. By using the Framework levels, an agency can prioritize 
agency efforts as well as evaluate progress. Subsequently, NIST issued a more de- 
tailed security questionnaire that most agencies used in 2001 to conduct their pro- 
gram and system reviews. Last year, in cooperation with OMB, a PC-based auto- 
mated version of the security questionnaire was developed and made available for 
use by agencies in 2002 to collect this information for annual agency security report- 
ing to OMB. 

15. Federal Agency Security Practices Website 

NIST recently inaugurated the Federal Agency Security Practices (FASP) website 
(http://csrc.nist.gov/fasp/), building upon past successful work of the Federal CIO 
Council’s Best Security Practices pilot effort to identify, evaluate, and disseminate 
best practices for CIP and security. NIST was asked to undertake the transition of 
this pilot effort to an operational program. As a result, NIST developed the FASP 
site, which contains agency policies, procedures and practices; the CIO pilot best 
practices; and, a Frequently -Asked-Questions section. Agencies are encouraged to 
share their IT security information and IT security practices and submit them for 
posting on the FASP site. Over 80 practices are now available via the site. Some 
practices have been modified so as not to identify the specific submitting agencies. 

In accordance with tasking to NIST under FISMA, discussions are now underway 
to develop a similar web-based service to share security practices from private-sector 
organizations. 

16. IT Product Security Configuration Checklists 

The CSRDA tasked NIST with developing IT product security checklists that pro- 
vide settings and option selections that minimize the security risks associated with 
each computer hardware or software system that is, or is likely to become, widely 
used within the Federal Government. In response, there are plans to hold a public 
workshop to focus on developing a standardized checklist template to structure con- 
figuration and related information. Vendors, agencies, and other reputable sources 
can use the template to construct and submit checklists that will populate a NIST 
public web-based repository. It should be noted that because of vendors’ unique ex- 
pertise, experience, and understanding of the security of their products, voluntary 
participation by vendors in this effort will be particularly sought and valued. The 
workshop will also serve to publicize NIST’s plans to obtain checklists and make 
them available via the CSRC website. NIST will also be crafting ground rules for 
the selection and rejection of submitted checklists. Discussions have already taken 
place with representatives of DISA, NSA, NASA, and GAO regarding initial plans 
and to gain their valuable feedback. NIST hopes to hold the next checklists public 
workshop later this summer and unveil this new service by the end of the year. 
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Public Law 107-305 
107th Congress 

An Act 


To authorize funding for computer and network security research and development 
and research fellowship programs, and for other purposes. 


Nov. 27, 2002 
[H.R.3394] 


Be it enacted by the Senate and House of Representatives of 
the United States of America in Congress assembled , 

SECTION X. SHORT TITLE. 

This Act may be cited as the “Cyber Security Research and 
Development Act”. 


Cyber Security 
Research and 
Development Act. 
Communications 
and tele- 
commun icati ons . 


SEC. 2. FINDINGS. 

The Congress finds the following: 

(1) Revolutionary advancements in computing and commu- 
nications technology have interconnected government, commer- 
cial, scientific, and educational infrastructures — including crit- 
ical infrastructures for electric power, natural gas and petro- 
leum production and distribution, telecommunications, 
transportation, water supply, banking and finance, and emer- 
gency and government services — in a vast, interdependent phys- 
ical and electronic network. 

(2) Exponential increases in interconnectivity have facili- 
tated enhanced communications, economic growth, and the 
delivery of services critical to the public welfare, but have 
also increased the consequences of temporary or prolonged 
failure. 

(3) A Department of Defense Joint Task Force concluded 
after a 1997 United States information warfare exercise that 
the results “clearly demonstrated our lack of preparation for 
a coordinated cyber and physical attack on our critical military 
and civilian infrastructure”. 

(4) Computer security technology and systems implementa- 
tion lack — 

(A) sufficient long term research funding; 

(B) adequate coordination across Federal and State 
government agencies and among government, academia, 
and industry; and 

(C) sufficient numbers of outstanding researchers in 
the field. 

(5) Accordingly, Federal investment in computer and net- 
work security research and development must be significantly 
increased to — 

(A) improve vulnerability assessment and technological 
and systems solutions; 
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(B) expand and improve the pool of information secu- 
rity professionals, including researchers, in the United 
States workforce; and 

(C) better coordinate information sharing and 
collaboration among industry, government, and academic 
research projects. 

(6) While African-Americans, Hispanics, and Native Ameri- 
cans constitute 25 percent of the total United States workforce 
and 30 percent of the college-age population, members of these 
minorities comprise less than 7 percent of the United States 
computer and information science workforce. 

15 use 7402. SEC. 3. DEFINITIONS. 

In this Act: 

(1) Director. — The term “Director” means the Director 
of the National Science Foundation. 

(2) Institution of higher education— The term “institu- 
tion of higher education” has the meaning given that term 
in section 101(a) of the Higher Education Act of 1965 (20 
U.S.C. 1001(a)). 

15 use 7403. SEC. 4. NATIONAL SCIENCE FOUNDATION RESEARCH. 

(a) Computer and Network Security Research Grants. — 

(1) In GENERAL. — The Director shall award grants for basic 
research on innovative approaches to the structure of computer 
and network hardware and software that are aimed at 
enhancing computer security. Research areas may include — 

(A) authentication, cryptography, and other secure data 
communications technology; 

(B) computer forensics and intrusion detection; 

(C) reliability of computer and network applications, 
middleware, operating systems, control systems, and 
communications infrastructure; 

(D) privacy and confidentiality; 

(E) network security architecture, including tools for 
security administration and analysis; 

(F) emerging threats; 

(G) vulnerability assessments and techniques for quan- 
tifying risk; 

(H) remote access and wireless security; and 

(I) enhancement of law enforcement ability to detect, 
investigate, and prosecute cyber-crimes, including those 
that involve piracy of intellectual property. 

(2) Merit review; competition.— Grants shall be awarded 
under this section on a merit-reviewed competitive basis. 

(3) Authorization of appropriations. — There are author- 
ized to be appropriated to the National Science Foundation 
to carry out this subsection — 

(A) $35,000,000 for fiscal year 2003; 

(B) $40,000,000 for fiscal year 2004; 

(C) $46,000,000 for fiscal year 2005; 

(D) $52,000,000 for fiscal year 2006; and 

(E) $60,000,000 for fiscal year 2007. 

(b) Computer and Network Security Research Centers.— 

(1) In GENERAL. — The Director shall award multiyear 
grants, subject to the availability of appropriations, to institu- 
tions of higher education, nonprofit research institutions, or 
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consortia thereof to establish multidisciplinary Centers for Com- 
puter and Network Security Research. Institutions of higher 
education, nonprofit research institutions, or consortia thereof 
receiving such grants may partner with 1 or more government 
laboratories or for-profit institutions, or other institutions of 
higher education or nonprofit research institutions. 

(2) Merit REVIEW; COMPETITION.— Grants shall be awarded 
under this subsection on a merit-reviewed competitive basis. 

(3) PURPOSE. — The purpose of the Centers shall be to gen- 
erate innovative approaches to computer and network security 
by conducting cutting-edge, multidisciplinary research in com- 
puter and network security, including the research areas 
described in subsection (a)(1). 

(4) Applications. — An institution of higher education, non- 
profit research institution, or consortia thereof seeking funding 
under this subsection shall submit an application to the 
Director at such time, in such manner, and containing such 
information as the Director may require. The application shall 
include, at a minimum, a description of — 

(A) the research projects that will be undertaken by 
the Center and the contributions of each of the partici- 
pating entities; 

(B) how the Center will promote active collaboration 
among scientists and engineers from different disciplines, 
such as computer scientists, engineers, mathematicians, 
and social science researchers; 

(C) how the Center will contribute to increasing the 
number and quality of computer and network security 
researchers and other professionals, including individuals 
from groups historically underrepresented in these fields; 
and 

(D) how the center will disseminate research results 
quickly and widely to improve cyber security in information 
technology networks, products, and services. 

(5) Criteria. — In evaluating the applications submitted 
under paragraph (4), the Director shall consider, at a 
minimum — 

(A) the ability of the applicant to generate innovative 
approaches to computer and network security and effec- 
tively carry out the research program; 

(B) the experience of the applicant in conducting 
research on computer and network security and the 
capacity of the applicant to foster new multidisciplinary 
collaborations; 

(C) the capacity of the applicant to attract and provide 
adequate support for a diverse group of undergraduate 
and graduate students and postdoctoral fellows to pursue 
computer and network security research; and 

(D) the extent to which the applicant will partner 
with government laboratories, for-profit entities, other 
institutions of higher education, or nonprofit research 
institutions, and the role the partners will play in the 
research undertaken by the Center. 

(6) ANNUAL MEETING. — The Director shall convene an 
annual meeting of the Centers in order to foster collaboration 
and communication between Center participants. 
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(7) Authorization of appropriations— There are author- 
ized to be appropriated for the National Scienee Foundation 
to carry out this subsection- 

(A) $12,000,000 for fiscal year 2003; 

(B) $24,000,000 for fiscal year 2004; 

(C) $36,000,000 for fiscal year 2005; 

(D) $36,000,000 for fiscal year 2006; and 

(E) $36,000,000 for fiscal year 2007. 

15 USC 7404. SEC. 5. NATIONAL SCIENCE FOUNDATION COMPUTER AND NETWORK 

SECURITY PROGRAMS. 

(a) Computer and Network Security Capacity Building 
Grants. — 

(1) In GENERAL. — The Director shall establish a program 
to award grants to institutions of higher education (or consortia 
thereof) to establish or improve undergraduate and master’s 
degree programs in computer and network security, to increase 
the number of students, including the number of students from 
groups historically underrepresented in these fields, who pursue 
undergraduate or master’s degrees in fields related to computer 
and network security, and to provide students with experience 
in government or industry related to their computer and net- 
work security studies. 

(2) Merit review. — Grants shall be awarded under this 
subsection on a merit-reviewed competitive basis. 

(3) Use of FUNDS.— Grants awarded under this subsection 
shall be used for activities that enhance the ability of an 
institution of higher education (or consortium thereof) to pro- 
vide high-quality undergraduate and master’s degree programs 
in computer and network security and to recruit and retain 
increased numbers of students to such programs. Activities 
may include — 

(A) revising curriculum to better prepare under- 
graduate and master’s degree students for careers in com- 
puter and network security; 

(B) establishing degree and certificate programs in 
computer and network security; 

(C) creating opportunities for undergraduate students 
to participate in computer and network security research 
projects; 

(D) acquiring equipment necessary for student instruc- 
tion in computer and network security, including the 
installation of testbed networks for student use; 

(E) providing opportunities for faculty to work with 
local or Federal Government agencies, private industry, 
nonprofit research institutions, or other academic institu- 
tions to develop new expertise or to formulate new research 
directions in computer and network security; 

(F) establishing collaborations with other academic 
institutions or academic departments that seek to establish, 
expand, or enhance programs in computer and network 
security; 

(G) establishing student internships in computer and 
network security at government agencies or in private 
industry; 

(H) establishing collaborations with other academic 
institutions to establish or enhance a web-based collection 
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of computer and network security courseware and labora- 
tory exercises for sharing with other institutions of higher 
education, including community colleges; 

(I) establishing or enhancing bridge programs in com- 
puter and network security between community colleges 
and universities; and 

(J) any other activities the Director determines will 
accomplish the goals of this subsection. 

(4) Selection process. — 

(A) Application. — An institution of higher education 
(or a consortium thereof) seeking funding under this sub- 
section shall submit an application to the Director at such 
time, in such manner, and containing such information 
as the Director may require. The application shall include, 
at a minimum — 

(i) a description of the applicant’s computer and 
network security research and instructional capacity, 
and in the case of an application from a consortium 
of institutions of higher education, a description of 
the role that each member will play in implementing 
the proposal; 

(ii) a comprehensive plan by which the institution 
or consortium will build instructional capacity in com- 
puter and information security; 

(iii) a description of relevant collaborations with 
government agencies or private industry that inform 
the instructional program in computer and network 
security; 

(iv) a survey of the applicant’s historic student 
enrollment and placement data in fields related to 
computer and network security and a study of potential 
enrollment and placement for students enrolled in the 
proposed computer and network security program; and 

(v) a plan to evaluate the success of the proposed 
computer and network security program, including 
post-graduation assessment of graduate school and job 
placement and retention rates as well as the relevance 
of the instructional program to graduate study and 
to the workplace. 

(B) Awards. — (i) The Director shall ensure, to the 
extent practicable, that grants are awarded under this 
subsection in a wide range of geographic areas and cat- 
egories of institutions of higher education, including 
minority serving institutions. 

(ii) The Director shall award grants under this sub- 
section for a period not to exceed 5 years. 

(5) Assessment REQUIRED.— The Director shall evaluate Deadline, 
the program established under this subsection no later than 

6 years after the establishment of the program. At a minimum, 
the Director shall evaluate the extent to which the program 
achieved its objectives of increasing the quality and quantity 
of students, including students from groups historically under- 
represented in computer and network security related dis- 
ciplines, pursuing undergraduate or master’s degrees in com- 
puter and network security. 
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(6) Authorization of appropriations.— There are author- 
ized to be appropriated to the National Science Foundation 
to carry out this subsection — 

(A) $15,000,000 for fiscal year 2003; 

(B) $20,000,000 for fiscal year 2004; 

(C) $20,000,000 for fiscal year 2005; 

(D) $20,000,000 for fiscal year 2006; and 

(E) $20,000,000 for fiscal year 2007. 

(b) Scientific and Advanced Technology Act of 1992. — 

(1) Grants. — The Director shall provide grants under the 
Scientific and Advanced Technology Act of 1992 (42 U.S.C. 
1862i) for the purposes of section 3(a) and (b) of that Act, 
except that the activities supported pursuant to this subsection 
shall be limited to improving education in fields related to 
computer and network security. 

(2) Authorization of appropriations. — There are author- 
ized to be appropriated to the National Science Foundation 
to carry out this subsection — 

(A) $1,000,000 for fiscal year 2003; 

(B) $1,250,000 for fiscal year 2004; 

(C) $1,250,000 for fiscal year 2005; 

(D) $1,250,000 for fiscal year 2006; and 

(E) $1,250,000 for fiscal year 2007. 

(c) Graduate Traineeships in Computer and Network Secu- 
rity Research.— 

(1) In GENERAL. — The Director shall establish a program 
to award grants to institutions of higher education to establish 
traineeship programs for graduate students who pursue com- 
puter and network security research leading to a doctorate 
degree by providing funding and other assistance, and by pro- 
viding graduate students with research experience in govern- 
ment or industry related to the students’ computer and network 
security studies. 

(2) Merit review. — Grants shall be provided under this 
subsection on a merit-reviewed competitive basis. 

(3) USE OF FUNDS. — An institution of higher education shall 
use grant funds for the purposes of — 

(A) providing traineeships to students who are citizens, 
nationals, or lawfully admitted permanent resident aliens 
of the United States and are pursuing research in computer 
or network security leading to a doctorate degree; 

(B) paying tuition and fees for students receiving 
traineeships under subparagraph (A); 

(C) establishing scientific internship programs for stu- 
dents receiving traineeships under subparagraph (A) in 
computer and network security at for-profit institutions, 
nonprofit research institutions, or government laboratories; 
and 

(D) other costs associated with the administration of 
the program. 

(4) TRAINEESHIP AMOUNT. — Traineeships provided under 
paragraph (3)(A) shall be in the amount of $25,000 per year, 
or the level of the National Science Foundation Graduate 
Research Fellowships, whichever is greater, for up to 3 years. 
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(5) Selection process. — An institution of higher education 
seeking funding under this subsection shall submit an applica- 
tion to the Director at such time, in such manner, and con- 
taining such information as the Director may require. The 
application shall include, at a minimum, a description of— 

(A) the instructional program and research opportuni- 
ties in computer and network security available to graduate 
students at the applicant's institution; and 

(B) the internship program to be established, including 
the opportunities that will be made available to students 
for internships at for-profit institutions, nonprofit research 
institutions, and government laboratories. 

(6) Review of applications.— In evaluating the applica- 
tions submitted under paragraph (5), the Director shall 
consider — 

(A) the ability of the applicant to effectively carry 
out the proposed program; 

(B) the quality of the applicant’s existing research and 
education programs; 

(C) the likelihood that the program will recruit 
increased numbers of students, including students from 
groups historically underrepresented in computer and net- 
work security related disciplines, to pursue and earn doc- 
torate degrees in computer and network security; 

(D) the nature and quality of the internship program 
established through collaborations with government labora- 
tories, nonprofit research institutions, and for-profit institu- 
tions; 

(E) the integration of internship opportunities into 
graduate students’ research; and 

(F) the relevance of the proposed program to current 
and future computer and network security needs. 

(7) Authorization of appropriations.— There are author- 
ized to be appropriated to the National Science Foundation 
to carry out this subsection — 

(A) $10,000,000 for fiscal year 2003; 

(B) $20,000,000 for fiscal year 2004; 

(C) $20,000,000 for fiscal year 2005; 

(D) $20,000,000 for fiscal year 2006; and 

(E) $20,000,000 for fiscal year 2007. 

(d) Graduate Research Fellowships Program Support. — 

Computer and network security shall be included among the fields 
of specialization supported by the National Science Foundation’s 
Graduate Research Fellowships program under section 10 of the 
National Science Foundation Act of 1950 (42 U.S.C. 1869). 

(e) Cyber Security Faculty Development Traineeship Pro- 
gram. — 

(1) In general. — The Director shall establish a program 
to award grants to institutions of higher education to establish 
traineeship programs to enable graduate students to pursue 
academic careers in cyber security upon completion of doctoral 
degrees. 

(2) Merit review; competition.— Grants shall be awarded 
under this section on a merit-reviewed competitive basis. 

(3) Application. — Each institution of higher education 
desiring to receive a grant under this subsection shall submit 
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an application to the Director at such time, in such manner, 
and containing such information as the Director shall require. 

(4) Use of funds. — F unds received by an institution of 
higher education under this paragraph shall — 

(A) be made available to individuals on a merit- 
reviewed competitive basis and in accordance with the 
requirements established in paragraph (7); 

(B) be in an amount that is sufficient to cover annual 
tuition and fees for doctoral study at an institution of 
higher education for the duration of the graduate 
traineeship, and shall include, in addition, an annual living 
stipend of $25,000; and 

(C) be provided to individuals for a duration of no 
more than 5 years, the specific duration of each graduate 
traineeship to be determined by the institution of higher 
education, on a case-by-case basis. 

(5) Repayment. — Each graduate traineeship shall — 

(A) subject to paragraph (5)(B), be subject to full repay- 
ment upon completion of the doctoral degree according 
to a repayment schedule established and administered by 
the institution of higher education; 

(B) be forgiven at the rate of 20 percent of the total 
amount of the graduate traineeship assistance received 
under this section for each academic year that a recipient 
is employed as a full-time faculty member at an institution 

. of higher education for a period not to exceed 5 years; 
and 

(C) be monitored by the institution of higher education 
receiving a grant under this subsection to ensure compli- 
ance with this subsection. 

(6) Exceptions. — The Director may provide for the partial 
or total waiver or suspension of any service obligation or pay- 
ment by an individual under this section whenever compliance 
by the individual is impossible or would involve extreme hard- 
ship to the individual, or if enforcement of such obligation 
with respect to the individual would be unconscionable. 

(7) ELIGIBILITY. — To be eligible to receive a graduate 
traineeship under this section, an individual shall — 

(A) be a citizen, national, or lawfully admitted perma- 
nent resident alien of the United States; and 

(B) demonstrate a commitment to a career in higher 
education. 

(8) Consideration. — In making selections for graduate 
traineeships under this paragraph, an institution receiving a 
grant under this subsection shall consider, to the extent pos- 
sible, a diverse pool of applicants whose interests are of an 
interdisciplinary nature, encompassing the social scientific as 
well as the technical dimensions of cyber security. 

(9) Authorization of appropriations. — There are author- 
ized to be appropriated to the National Science Foundation 
to carry out this paragraph $5,000,000 for each of fiscal years 
2003 through 2007. 

15 USC 7405. SEC. 6. CONSULTATION. 

In carrying out sections 4 and 5, the Director shall consult 
with other Federal agencies. 
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SEC. 7. FOSTERING RESEARCH AND EDUCATION IN COMPUTER AND 
NETWORK SECURITY. 

Section 3(a) of the National Science Foundation Act of 1950 
(42 U.S.C. 1862(a)) is amended— 

(1) by striking “and” at the end of paragraph (6); 

(2) by striking “Congress.” in paragraph (7) and inserting 
“Congress ; and”; and 

(3) by adding at the end the following: 

“(8) to take a leading role in fostering and supporting 
research and education activities to improve the security of 
networked information systems.”. 

SEC. 8. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY PRO- 15 USC 7406. 
GRAMS. 

(a) Research Program. — The National Institute of Standards 
and Technology Act (15 U.S.C. 271 et seq.) is amended — 

(1) by moving section 22 to the end of the Act and redesig- 15 USC 278h, 

nating it as section 32; and 278q. 

(2) by inserting after section 21 the following new section: 

“SEC. 22. RESEARCH PROGRAM ON SECURITY OF COMPUTER SYSTEMS 15 USC 278h. 

“(a) ESTABLISHMENT. — The Director shall establish a program 
of assistance to institutions of higher education that enter into 
partnerships with for-profit entities to support research to improve 
the security of computer systems. The partnerships may also include 
government laboratories and nonprofit research institutions. The 
program shall — 

“(1) include multidisciplinary, long-term research; 

“(2) include research directed toward addressing needs 
identified through the activities of the Computer System Secu- 
rity and Privacy Advisory Board under section 20(f); and 

“(3) promote the development of a robust research commu- 
nity working at the leading edge of knowledge in subject areas 
relevant to the security of computer systems by providing sup- 
port for graduate students, post-doctoral researchers, and senior 
researchers. 

“(b) Fellowships. — 

“(1) Post-doctoral research fellowships.— The Director 
is authorized to establish a program to award post-doctoral 
research fellowships to individuals who are citizens, nationals, 
or lawfully admitted permanent resident aliens of the United 
States and are seeking research positions at institutions, 
including the Institute, engaged in research activities related 
to the security of computer systems, including the research 
areas described in section 4(a)(1) of the Cyber Security Research 
and Development Act. 

“(2) Senior research fellowships. — The Director is 
authorized to establish a program to award senior research 
fellowships to individuals seeking research positions at institu- 
tions, including the Institute, engaged in research activities 
related to the security of computer systems, including the 
research areas described in section 4(a)(1) of the Cyber Security 
Research and Development Act. Senior research fellowships 
shall be made available for established researchers at institu- 
tions of higher education who seek to change research fields 
and pursue studies related to the security of computer systems. 

“(3) Eligibility.— 
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“(A) In GENERAL. — To be eligible for an award under 
this subsection, an individual shall submit an application 
to the Director at such time, in such manner, and con- 
taining such information as the Director may require. 

“(B) Stipends. — Under this subsection, the Director 
is authorized to provide stipends for post-doctoral research 
fellowships at the level of the Institute’s Post Doctoral 
Research Fellowship Program and senior research fellow- 
ships at levels consistent with support for a faculty member 
in a sabbatical position. 

“(c) Awards; Applications.— 

“(1) In general. — The Director is authorized to award 
grants or cooperative agreements to institutions of higher edu- 
cation to carry out the program established under subsection 
(a). No funds made available under this section shall be made 
available directly to any for-profit partners. 

“(2) Eligibility. — To be eligible for an award under this 
section, an institution of higher education shall submit an 
application to the Director at such time, in such manner, and 
containing such information as the Director may require. The 
application shall include, at a minimum, a description of — 

“(A) the number of graduate students anticipated to 
participate in the research project and the level of support 
to be provided to each; 

“(B) the number of post-doctoral research positions 
included under the research project and the level of support 
to be provided to each; 

“(C) the number of individuals, if any, intending to 
change research fields and pursue studies related to the 
security of computer systems to be included under the 
research project and the level of support to be provided 
to each; and 

“(D) how the for-profit entities, nonprofit research 
institutions, and any other partners will participate in 
developing and carrying out the research and education 
agenda of the partnership. 

“(d) Program Operation. — 

“(1) Management. — The program established under sub- 
section (a) shall be managed by individuals who shall have 
both expertise in research related to the security of computer 
systems and knowledge of the vulnerabilities of existing com- 
puter systems. The Director shall designate such individuals 
as program managers. 

“(2) Managers MAY be employees. — Program managers 
designated under paragraph (1) may be new or existing 
employees of the Institute or individuals on assignment at 
the Institute under the Intergovernmental Personnel Act of 
1970, except that individuals on assignment at the Institute 
under the Intergovernmental Personnel Act of 1970 shall not 
directly manage such employees. 

“(3) Manager responsibility.— Program managers des- 
ignated under paragraph (1) shall be responsible for — 

“(A) establishing and publicizing the broad research 
goals for the program; 

“(B) soliciting applications for specific research projects 
to address the goals developed under subparagraph (A); 
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“(C) selecting research projects for support under the 
program from among applications submitted to the 
Institute, following consideration of — 

“(i) the novelty and scientific and technical merit 
of the proposed projects; 

“(ii) the demonstrated capabilities of the individual 
or individuals submitting the applications to success- 
fully carry out the proposed research; 

“(iii) the impact the proposed projects will have 
on increasing the number of computer security 
researchers; 

“(iv) the nature of the participation by for-profit 
entities and the extent to which the proposed projects 
address the concerns of industry; and 

“(v) other criteria determined by the Director, 
based on information specified for inclusion in applica- 
tions under subsection (c); and 

“(D) monitoring the progress of research projects sup- 
ported under the program. 

“(4) Reports. — The Director shall report to the Senate 
Committee on Commerce, Science, and Transportation and the 
House of Representatives Committee on Science annually on 
the use and responsibility of individuals on assignment at the 
Institute under the Intergovernmental Personnel Act of 1970 
who are performing duties under subsection (d). 

“(e) Review of Program.— 

“(1) Periodic review. — The Director shall periodically 
review the portfolio of research awards monitored by each 
program manager designated in accordance with subsection 
(d). In conducting those reviews, the Director shall seek the 
advice of the Computer System Security and Privacy Advisory 
Board, established under section 21, on the appropriateness 
of the research goals and on the quality and utility of research 
projects managed by program managers in accordance with 
subsection (d). 

“(2) Comprehensive 5-year review.— The Director shall 
also contract with the National Research Council for a com- 
prehensive review of the program established under subsection 
(a) during the 5th year of the program. Such review shall 
include an assessment of the scientific quality of the research 
conducted, the relevance of the research results obtained to 
the goals of the program established under subsection (d)(3)(A), 
and the progress of the program in promoting the development 
of a substantial academic research community working at the 
leading edge of knowledge in the field. The Director shall Reports, 
submit to Congress a report on the results of the review under Deadline, 
this paragraph no later than 6 years after the initiation of 
the program. 

“(f) Definitions.— In this section: 

“(1) Computer system. — The term ‘computer system’ has 
the meaning given that term in section 20(d)(1). 

“(2) Institution of higher education.— The term ‘institu- 
tion of higher education’ has the meaning given that term 
in section 101(a) of the Higher Education Act of 1965 (20 
U.S.C. 1001(a)).”. 
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(b) Amendment op Computer system Definition. — Section 
20(d)(l)(B)(i) of National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3(d)(l)(B)(i)) is amended to read as follows: 

“(i) computers and computer networks;”. 

(c) Checklists for Government Systems.— 

(1) In general. — The Director of the National Institute 
of Standards and Technology shall develop, and revise as nec- 
essary, a checklist setting forth settings and option selections 
that minimize the security risks associated with each computer 
hardware or software system that is, or is likely to become, 
widely used within the Federal Government. 

(2) Priorities for development; excluded systems. — 
The Director of the National Institute of Standards and Tech- 
nology may establish priorities for the development of checklists 
under this paragraph on the basis of the security risks associ- 
ated with the use of the system, the number of agencies that 
use a particular system, the usefulness of the checklist to 
Federal agencies that are users or potential users of the system, 
or such other factors as the Director determines to be appro- 
priate. The Director of the National Institute of Standards 
and Technology may exclude from the application of paragraph 
(1) any computer hardware or software system for which the 
Director of the National Institute of Standards and Technology 
determines that the development of a checklist is inappropriate 
because of the infrequency of use of the system, the obsolescence 
of the system, or the inutility or impracticability of developing 
a checklist for the system. 

(3) Dissemination of checklists. — The Director of the 
National Institute of Standards and Technology shall make 
any checklist developed under this paragraph for any computer 
hardware or software system available to each Federal agency 
that is a user or potential user of the system. 

(4) Agency use requirements.— The development of a 
checklist under paragraph (1) for a computer hardware or soft- 
ware system does not — 

(A) require any Federal agency to select the specific 
settings or options recommended by the checklist for the 
system; 

(B) establish conditions or prerequisites for Federal 
agency procurement or deployment of any such system; 

(C) represent an endorsement of any such system by 
the Director of the National Institute of Standards and 
Technology; nor 

(D) preclude any Federal agency from procuring or 
deploying other computer hardware or software systems 
for which no such checklist has been developed. 

(d) Federal Agency Information Security Programs. — 

(1) In GENERAL. — In developing the agencywide information 
security program required by section 3534(b) of title 44, United 
States Code, an agency that deploys a computer hardware 
or software system for which the Director of the National 
Institute of Standards and Technology has developed a checklist 
under subsection (c) of this section — 

(A) shall include in that program an explanation of 
how the agency has considered such checklist in deploying 
that system; and 
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(B) may treat the explanation as if it were a portion 
of the agency’s annual performance plan properly classified 
under criteria established by an Executive Order (within 
the meaning of section 1115(d) of title 31, United States 
Code). 

(2) LIMITATION. — Paragraph (1) does not apply to any com- 
puter hardware or software system for which the National 
Institute of Standards and Technology does not have responsi- 
bility under section 20(a)(3) of the National Institute of Stand- 
ards and Technology Act (15 U.S.C.278g-3(a)(3)). 

SEC. 9. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND 

INFORMATION. 

Section 20 of the National Institute of Standards and Tech- 
nology Act (15 U.S.C. 278g-3) is amended by adding at the end 
the following new subsection: 

“(e) Authorization of Appropriations.— There are authorized 
to be appropriated to the Secretary $1,060,000 for fiscal year 2003 
and $1,090,000 for fiscal year 2004 to enable the Computer System 
Security and Privacy Advisory Board, established by section 21, 
to identify emerging issues, including research needs, related to 
computer security, privacy, and cryptography and, as appropriate, 
to convene public meetings on those subjects, receive presentations, 
and publish reports, digests, and summaries for public distribution 
on those subjects.”. 

SEC. 10. INTRAMURAL SECURITY RESEARCH. 

Section 20 of the National Institute of Standards and Tech- 
nology Act (15 U.S.C. 278g-3), as amended by this Act, is further 
amended by redesignating subsection (e) as subsection (f), and 
by inserting after subsection (d) the following: 

“(e) Intramural Security Research— As part of the research 
activities conducted in accordance with subsection (b)(4), the 
Institute shall — 

“(1) conduct a research program to address emerging tech- 
nologies associated with assembling a networked computer 
system from components while ensuring it maintains desired 
security properties; 

“(2) carry out research associated with improving the secu- 
rity of real-time computing and communications systems for 
use in process control; and 

“(3) carry out multidisciplinary, long-term, high-risk 
research on ways to improve the security of computer systems.”. 

SEC. 11. AUTHORIZATION OF APPROPRIATIONS. 15 USC 7407. 

There are authorized to be appropriated to the Secretary of 
Commerce for the National Institute of Standards and Technology — 

(1) for activities under section 22 of the National Institute 
of Standards and Technology Act, as added by section 8 of 
this Act — 

(A) $25,000,000 for fiscal year 2003; 

(B) $40,000,000 for fiscal year 2004; 

(C) $55,000,000 for fiscal year 2005; 

(D) $70,000,000 for fiscal year 2006; 

(E) $85,000,000 for fiscal year 2007; and 

(2) for activities under section 20(f) of the National Institute 
of Standards and Technology Act, as added by section 10 of 
this Act — 
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(A) $6,000,000 for fiscal year 2003; 

(B) $6,200,000 for fiscal year 2004; 

(C) $6,400,000 for fiscal year 2005; 

(D) $6,600,000 for fiscal year 2006; and 

(E) $6,800,000 for fiscal year 2007. 

15 use 7408. SEC. 12. NATIONAL ACADEMY OF SCIENCES STUDY ON COMPUTER 

AND NETWORK SECURITY IN CRITICAL INFRASTRUC- 
TURES. 

Deadline. (a) STUDY. — Not later than 3 months after the date of the 

Contracts. enactment of this Act, the Director of the National Institute of 

Standards and Technology shall enter into an arrangement with 
the National Research Council of the National Academy of Sciences 
to conduct a study of the vulnerabilities of the Nation’s network 
infrastructure and make recommendations for appropriate improve- 
ments. The National Research Council shall — 

(1) review existing studies and associated data on the 
architectural, hardware, and software vulnerabilities and inter- 
dependencies in United States critical infrastructure networks; 

(2) identify and assess gaps in technical capability for 
robust critical infrastructure network security and make rec- 
ommendations for research priorities and resource require- 
ments; and 

(3) review any and all other essential elements of computer 
and network security, including security of industrial process 
controls, to be determined in the conduct of the study. 

Deadline. (b) Report. — The Director of the National Institute of Stand- 

ards and Technology shall transmit a report containing the results 
of the study and recommendations required by subsection (a) to 
the Senate Committee on Commerce, Science, and Transportation 
and the House of Representatives Committee on Science not later 
than 21 months after the date of enactment of this Act. 

(c) Security. — The Director of the National Institute of Stand- 
ards and Technology shall ensure that no information that is classi- 
fied is included in any publicly released version of the report 
required by this section. 

(d) Authorization of Appropriations.— There are authorized 
to be appropriated to the Secretary of Commerce for the National 
Institute of Standards and Technology for the purposes of carrying 
out this section, $700,000. 

15 use 7409. SEC. 13. COORDINATION OF FEDERAL CYBER SECURITY RESEARCH 

AND DEVELOPMENT 

The Director of the National Science Foundation and the 
Director of the National Institute of Standards and Technology 
shall coordinate the research programs authorized by this Act or 
pursuant to amendments made by this Act. The Director of the 
Office of Science and Technology Policy shall work with the Director 
of the National Science F oundation and the Director of the National 
Institute of Standards and Technology to ensure that programs 
authorized by this Act or pursuant to amendments made by this 
Act are taken into account in any government-wide cyber security 
research effort. 

SEC. 14. OFFICE OF SPACE COMMERCIALIZATION. 

Section 8(a) of the Technology Administration Act of 1998 (15 
U.S.C. 1511e(a)) is amended by inserting “the Technology Adminis- 
tration of’ after “within”. 
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SEC. 15. TECHNICAL CORRECTION OF NATIONAL CONSTRUCTION 15 USC 7301. 

SAFETY TEAM ACT. 

Section 2(c)(1)(d) of the National Construction Safety Team 
Act is amended by striking “section 8;” and inserting “section If. 

SEC. 16. GRANT ELIGIBILITY REQUIREMENTS AND COMPLIANCE WITH 15 USC 7410. 

IMMIGRATION LAWS. 

(a) Immigration Status. — No grant or fellowship may be 
awarded under this Act, directly or indirectly, to any individual 
who is in violation of the terms of his or her status as a non- 
immigrant under section 101(a)(15)(F), (M), or (J) of the Immigra- 
tion and Nationality Act (8 U.S.C. 1101(a)(15)(F), (M), or (J)). 

(b) Aliens from Certain Countries. — No grant or fellowship 
may be awarded under this Act, directly or indirectly, to any alien 
from a country that is a state sponsor of international terrorism, 
as defined under section 306(b) of the Enhanced Border Security 
and VISA Entry Reform Act (8 U.S.C. 1735(b)), unless the Secretary 
of State determines, in consultation with the Attorney General 
and the heads of other appropriate agencies, that such alien does 
not pose a threat to the safety or national security of the United 
States. 

(c) Non-complying Institutions. — No grant or fellowship may 
be awarded under this Act, directly or indirectly, to any institution 
of higher education or non-profit institution (or consortia thereof) 
that has — 

(1) materially failed to comply with the recordkeeping and 
reporting requirements to receive nonimmigrant students or 
exchange visitor program participants under section 
101(a)(15)(F), (M), or (J) of the Immigration and Nationality 
Act (8 U.S.C. 1101(a)(15)(F), (M), or (J)), or section 641 of 
the Illegal Immigration Reform and Responsibility Act of 1996 
(8 U.S.C. 1372), as required by section 502 of the Enhanced 
Border Security and VISA Entry Reform Act (8 U.S.C. 1762); 
or 

(2) been suspended or terminated pursuant to section 502(c) 
of the Enhanced Border Security and VISA Entry Reform Act 
(8 U.S.C 1762(c)). 

SEC. 17. REPORT ON GRANT AND FELLOWSHIP PROGRAMS. 15 USC 7411. 

Within 24 months after the date of enactment of this Act, 
the Director, in consultation with the Assistant to the President 
for National Security Affairs, shall submit to Congress a report 
reviewing this Act to ensure that the programs and fellowships 
are being awarded under this Act to individuals and institutions 
of higher education who are in compliance with the Immigration 
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and Nationality Act (8 U.S.C. 1101 et seq.) in order to protect 
our national security. 

Approved November 27, 2002. 
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